# HG changeset patch # User Matt Johnston # Date 1518794268 -28800 # Node ID 1028b0111f89ed835e3e73277f31c0bf1bbd2f60 # Parent 35f38af1238b1dd4192c123cee8cd83eeaff5c89# Parent ee7153a05ffcbf954cf4fcd2f8a390b96cf3da80 merge diff -r ee7153a05ffc -r 1028b0111f89 Makefile.in --- a/Makefile.in Thu Feb 15 23:30:54 2018 +0800 +++ b/Makefile.in Fri Feb 16 23:17:48 2018 +0800 @@ -20,7 +20,7 @@ ifeq (@BUNDLED_LIBTOM@, 1) LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ -LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) +LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) endif ifneq ($(wildcard localoptions.h),) diff -r ee7153a05ffc -r 1028b0111f89 cli-auth.c --- a/cli-auth.c Thu Feb 15 23:30:54 2018 +0800 +++ b/cli-auth.c Fri Feb 16 23:17:48 2018 +0800 @@ -60,9 +60,11 @@ */ if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) { ses.authstate.authtypes = AUTH_TYPE_PUBKEY; +#if DROPBEAR_USE_DROPBEAR_PASSWORD if (getenv(DROPBEAR_PASSWORD_ENV)) { ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; } +#endif if (cli_auth_try() == DROPBEAR_SUCCESS) { TRACE(("skipped initial none auth query")) /* Note that there will be two auth responses in-flight */ @@ -335,7 +337,7 @@ { char* password = NULL; -#ifdef DROPBEAR_PASSWORD_ENV +#if DROPBEAR_USE_DROPBEAR_PASSWORD /* Password provided in an environment var */ password = getenv(DROPBEAR_PASSWORD_ENV); if (password) diff -r ee7153a05ffc -r 1028b0111f89 cli-runopts.c --- a/cli-runopts.c Thu Feb 15 23:30:54 2018 +0800 +++ b/cli-runopts.c Fri Feb 16 23:17:48 2018 +0800 @@ -306,10 +306,10 @@ case 'm': #endif case 'D': -#ifndef DROPBEAR_CLI_REMOTETCPFWD +#if !DROPBEAR_CLI_REMOTETCPFWD case 'R': #endif -#ifndef DROPBEAR_CLI_LOCALTCPFWD +#if !DROPBEAR_CLI_LOCALTCPFWD case 'L': #endif case 'V': diff -r ee7153a05ffc -r 1028b0111f89 dbrandom.c --- a/dbrandom.c Thu Feb 15 23:30:54 2018 +0800 +++ b/dbrandom.c Fri Feb 16 23:17:48 2018 +0800 @@ -59,7 +59,7 @@ unsigned int readcount; int ret = DROPBEAR_FAILURE; -#ifdef DROPBEAR_PRNGD_SOCKET +#if DROPBEAR_USE_PRNGD if (prngd) { readfd = connect_unix(filename); @@ -107,7 +107,7 @@ wantread = MIN(sizeof(readbuf), len-readcount); } -#ifdef DROPBEAR_PRNGD_SOCKET +#if DROPBEAR_USE_PRNGD if (prngd) { char egdcmd[2]; @@ -157,7 +157,7 @@ static void write_urandom() { -#ifndef DROPBEAR_PRNGD_SOCKET +#if !DROPBEAR_USE_PRNGD /* This is opportunistic, don't worry about failure */ unsigned char buf[INIT_SEED_SIZE]; FILE *f = fopen(DROPBEAR_URANDOM_DEV, "w"); @@ -185,7 +185,7 @@ /* existing state */ sha1_process(&hs, (void*)hashpool, sizeof(hashpool)); -#ifdef DROPBEAR_PRNGD_SOCKET +#if DROPBEAR_USE_PRNGD if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1) != DROPBEAR_SUCCESS) { dropbear_exit("Failure reading random device %s", diff -r ee7153a05ffc -r 1028b0111f89 dbutil.c --- a/dbutil.c Thu Feb 15 23:30:54 2018 +0800 +++ b/dbutil.c Fri Feb 16 23:17:48 2018 +0800 @@ -214,7 +214,7 @@ #endif /* DEBUG_TRACE */ /* Connect to a given unix socket. The socket is blocking */ -#ifdef ENABLE_CONNECT_UNIX +#if ENABLE_CONNECT_UNIX int connect_unix(const char* path) { struct sockaddr_un addr; int fd = -1; diff -r ee7153a05ffc -r 1028b0111f89 dbutil.h --- a/dbutil.h Thu Feb 15 23:30:54 2018 +0800 +++ b/dbutil.h Fri Feb 16 23:17:48 2018 +0800 @@ -59,7 +59,7 @@ int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data, int *writefd, int *readfd, int *errfd, pid_t *pid); void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell); -#ifdef ENABLE_CONNECT_UNIX +#if ENABLE_CONNECT_UNIX int connect_unix(const char* addr); #endif int buf_readfile(buffer* buf, const char* filename); diff -r ee7153a05ffc -r 1028b0111f89 default_options.h.in --- a/default_options.h.in Thu Feb 15 23:30:54 2018 +0800 +++ b/default_options.h.in Fri Feb 16 23:17:48 2018 +0800 @@ -36,10 +36,9 @@ #define NON_INETD_MODE 1 #define INETD_MODE 1 -/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is - * perhaps 20% slower for pubkey operations (it is probably worth experimenting - * if you want to use this) */ -/*#define NO_FAST_EXPTMOD*/ +#if !(NON_INETD_MODE || INETD_MODE) + #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." +#endif /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save several kB in binary size however will make the symmetrical ciphers and hashes @@ -77,7 +76,7 @@ #define DROPBEAR_CLI_NETCAT 1 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ -#define ENABLE_USER_ALGO_LIST 1 +#define DROPBEAR_USER_ALGO_LIST 1 /* Encryption - at least one required. * Protocol RFC requires 3DES and recommends AES128 for interoperability. @@ -86,10 +85,15 @@ #define DROPBEAR_AES128 1 #define DROPBEAR_3DES 1 #define DROPBEAR_AES256 1 -/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ -/*#define DROPBEAR_BLOWFISH*/ #define DROPBEAR_TWOFISH256 1 #define DROPBEAR_TWOFISH128 1 +/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ +#define DROPBEAR_BLOWFISH 0 + +#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ + || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) + #error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended." +#endif /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ @@ -129,6 +133,10 @@ * on x86-64 */ #define DROPBEAR_ECDSA 1 +#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) + #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." +#endif + /* RSA must be >=1024 */ #define DROPBEAR_DEFAULT_RSA_SIZE 2048 /* DSS is always 1024 */ @@ -193,15 +201,38 @@ * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ +/* PAM requires ./configure --enable-pam */ +#if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH + #define DROPBEAR_SVR_PAM_AUTH 1 +#else + #define DROPBEAR_SVR_PAM_AUTH 0 +#endif + /* This requires crypt() */ -#ifdef HAVE_CRYPT -#define DROPBEAR_SVR_PASSWORD_AUTH 1 +#if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH + #define DROPBEAR_SVR_PASSWORD_AUTH 1 #else -#define DROPBEAR_SVR_PASSWORD_AUTH 0 + #define DROPBEAR_SVR_PASSWORD_AUTH 0 +#endif + +#define DROPBEAR_SVR_PUBKEY_AUTH 1 + +#if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) + #error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended." #endif -/* PAM requires ./configure --enable-pam */ -#define DROPBEAR_SVR_PAM_AUTH 0 -#define DROPBEAR_SVR_PUBKEY_AUTH 1 + +#if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT + #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." +#endif + +#if DROPBEAR_SVR_PAM_AUTH + #if DISABLE_PAM + #error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed." + #endif + #if DROPBEAR_SVR_PASSWORD_AUTH + #error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH." + #endif +#endif /* Whether to take public key options in * authorized_keys file into account */ @@ -209,11 +240,18 @@ /* This requires getpass. */ #ifdef HAVE_GETPASS -#define DROPBEAR_CLI_PASSWORD_AUTH 1 -#define DROPBEAR_CLI_INTERACT_AUTH 1 + #define DROPBEAR_CLI_PASSWORD_AUTH 1 + #define DROPBEAR_CLI_INTERACT_AUTH 1 +#else + #define DROPBEAR_CLI_PASSWORD_AUTH 0 + #define DROPBEAR_CLI_INTERACT_AUTH 0 #endif #define DROPBEAR_CLI_PUBKEY_AUTH 1 +#if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH) + #error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended." +#endif + /* A default argument for dbclient -i . Homedir is prepended unless path begins with / */ #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" @@ -224,7 +262,7 @@ * note that it will be provided for all "hidden" client-interactive * style prompts - if you want something more sophisticated, use * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ -#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" +#define DROPBEAR_USE_DROPBEAR_PASSWORD 1 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of * a helper program for the ssh client. The helper program should be @@ -233,6 +271,10 @@ * return the password on standard output */ #define DROPBEAR_CLI_ASKPASS_HELPER 0 +#if DROPBEAR_CLI_ASKPASS_HELPER + #define DROPBEAR_CLI_PASSWORD_AUTH 1 +#endif + /* Save a network roundtrip by sendng a real auth request immediately after * sending a query for the available methods. It is at the expense of < 100 * bytes of extra network traffic. This is not yet enabled by default since it @@ -245,8 +287,8 @@ #define DROPBEAR_URANDOM_DEV "/dev/urandom" /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ -/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ - +#define DROPBEAR_USE_PRNGD 0 +#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" /* Specify the number of clients we will allow to be connected but * not yet authenticated. After this limit, connections are rejected */ @@ -269,6 +311,8 @@ * "-q" for quiet */ #define XAUTH_COMMAND "/usr/bin/xauth -q" +#define DROPBEAR_SFTPSERVER 1 + /* if you want to enable running an sftp server (such as the one included with * OpenSSH), set the path below. If the path isn't defined, sftp will not * be enabled */ diff -r ee7153a05ffc -r 1028b0111f89 keyimport.c --- a/keyimport.c Thu Feb 15 23:30:54 2018 +0800 +++ b/keyimport.c Fri Feb 16 23:17:48 2018 +0800 @@ -870,7 +870,7 @@ */ numbers[0].start = zero; numbers[0].bytes = 1; zero[0] = '\0'; - #ifdef DROPBEAR_RSA + #if DROPBEAR_RSA if (key->type == DROPBEAR_SIGNKEY_RSA) { if (key->rsakey->p == NULL || key->rsakey->q == NULL) { @@ -966,7 +966,7 @@ } #endif /* DROPBEAR_RSA */ - #ifdef DROPBEAR_DSS + #if DROPBEAR_DSS if (key->type == DROPBEAR_SIGNKEY_DSS) { /* p */ diff -r ee7153a05ffc -r 1028b0111f89 libtomcrypt/src/headers/tomcrypt_custom.h --- a/libtomcrypt/src/headers/tomcrypt_custom.h Thu Feb 15 23:30:54 2018 +0800 +++ b/libtomcrypt/src/headers/tomcrypt_custom.h Fri Feb 16 23:17:48 2018 +0800 @@ -68,8 +68,8 @@ #define LTC_NO_MODES #define LTC_NO_HASHES #define LTC_NO_MACS - #define LTC_NO_PRNGS - #define LTC_NO_PK + #define LTC_NO_PRNGS + #define LTC_NO_PK #define LTC_NO_PKCS #define LTC_NO_MISC #endif /* LTC_NOTHING */ diff -r ee7153a05ffc -r 1028b0111f89 netio.c --- a/netio.c Thu Feb 15 23:30:54 2018 +0800 +++ b/netio.c Fri Feb 16 23:17:48 2018 +0800 @@ -613,7 +613,7 @@ int flags = NI_NUMERICSERV | NI_NUMERICHOST; -#ifndef DO_HOST_LOOKUP +#if !DO_HOST_LOOKUP host_lookup = 0; #endif diff -r ee7153a05ffc -r 1028b0111f89 runopts.h --- a/runopts.h Thu Feb 15 23:30:54 2018 +0800 +++ b/runopts.h Fri Feb 16 23:17:48 2018 +0800 @@ -86,7 +86,7 @@ int ipv6; */ -#ifdef DO_MOTD +#if DO_MOTD /* whether to print the MOTD */ int domotd; #endif diff -r ee7153a05ffc -r 1028b0111f89 signkey.c --- a/signkey.c Thu Feb 15 23:30:54 2018 +0800 +++ b/signkey.c Fri Feb 16 23:17:48 2018 +0800 @@ -78,13 +78,13 @@ #if DROPBEAR_ECDSA /* Some of the ECDSA key sizes are defined even if they're not compiled in */ if (0 -#ifndef DROPBEAR_ECC_256 +#if !DROPBEAR_ECC_256 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP256 #endif -#ifndef DROPBEAR_ECC_384 +#if !DROPBEAR_ECC_384 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP384 #endif -#ifndef DROPBEAR_ECC_521 +#if !DROPBEAR_ECC_521 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP521 #endif ) { diff -r ee7153a05ffc -r 1028b0111f89 svr-authpubkey.c --- a/svr-authpubkey.c Thu Feb 15 23:30:54 2018 +0800 +++ b/svr-authpubkey.c Fri Feb 16 23:17:48 2018 +0800 @@ -473,12 +473,4 @@ return DROPBEAR_SUCCESS; } -#ifdef DROPBEAR_FUZZ -int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, - const char* algo, unsigned int algolen, - const unsigned char* keyblob, unsigned int keybloblen) { - return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen); -} #endif - -#endif diff -r ee7153a05ffc -r 1028b0111f89 svr-authpubkeyoptions.c --- a/svr-authpubkeyoptions.c Thu Feb 15 23:30:54 2018 +0800 +++ b/svr-authpubkeyoptions.c Fri Feb 16 23:17:48 2018 +0800 @@ -100,7 +100,7 @@ chansess->original_command = m_strdup(""); } chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); -#ifdef LOG_COMMANDS +#if LOG_COMMANDS dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command); #endif } diff -r ee7153a05ffc -r 1028b0111f89 svr-chansession.c --- a/svr-chansession.c Thu Feb 15 23:30:54 2018 +0800 +++ b/svr-chansession.c Fri Feb 16 23:17:48 2018 +0800 @@ -663,7 +663,7 @@ } } if (issubsys) { -#ifdef SFTPSERVER_PATH +#if DROPBEAR_SFTPSERVER if ((cmdlen == 4) && strncmp(chansess->cmd, "sftp", 4) == 0) { m_free(chansess->cmd); chansess->cmd = m_strdup(SFTPSERVER_PATH); @@ -687,7 +687,7 @@ } -#ifdef LOG_COMMANDS +#if LOG_COMMANDS if (chansess->cmd) { dropbear_log(LOG_INFO, "User %s executing '%s'", ses.authstate.pw_name, chansess->cmd); @@ -774,7 +774,7 @@ pid_t pid; struct logininfo *li = NULL; -#ifdef DO_MOTD +#if DO_MOTD buffer * motdbuf = NULL; int len; struct stat sb; @@ -826,7 +826,7 @@ login_login(li); login_free_entry(li); -#ifdef DO_MOTD +#if DO_MOTD if (svr_opts.domotd && !chansess->cmd) { /* don't show the motd if ~/.hushlogin exists */ diff -r ee7153a05ffc -r 1028b0111f89 svr-main.c --- a/svr-main.c Thu Feb 15 23:30:54 2018 +0800 +++ b/svr-main.c Fri Feb 16 23:17:48 2018 +0800 @@ -35,10 +35,10 @@ static void sigchld_handler(int dummy); static void sigsegv_handler(int); static void sigintterm_handler(int fish); -#ifdef INETD_MODE +#if INETD_MODE static void main_inetd(void); #endif -#ifdef NON_INETD_MODE +#if NON_INETD_MODE static void main_noinetd(void); #endif static void commonsetup(void); @@ -58,7 +58,7 @@ /* get commandline options */ svr_getopts(argc, argv); -#ifdef INETD_MODE +#if INETD_MODE /* service program mode */ if (svr_opts.inetdmode) { main_inetd(); @@ -66,7 +66,7 @@ } #endif -#ifdef NON_INETD_MODE +#if NON_INETD_MODE main_noinetd(); /* notreached */ #endif @@ -76,7 +76,7 @@ } #endif -#ifdef INETD_MODE +#if INETD_MODE static void main_inetd() { char *host, *port = NULL; @@ -110,7 +110,7 @@ } #endif /* INETD_MODE */ -#ifdef NON_INETD_MODE +#if NON_INETD_MODE static void main_noinetd() { fd_set fds; unsigned int i, j; diff -r ee7153a05ffc -r 1028b0111f89 svr-runopts.c --- a/svr-runopts.c Thu Feb 15 23:30:54 2018 +0800 +++ b/svr-runopts.c Fri Feb 16 23:17:48 2018 +0800 @@ -64,7 +64,7 @@ #else "-E Log to stderr rather than syslog\n" #endif -#ifdef DO_MOTD +#if DO_MOTD "-m Don't display the motd on login\n" #endif "-w Disallow root logins\n" @@ -88,7 +88,7 @@ " (default port is %s if none specified)\n" "-P PidFile Create pid file PidFile\n" " (default %s)\n" -#ifdef INETD_MODE +#if INETD_MODE "-i Start for inetd\n" #endif "-W (default %d, larger may be faster, max 1MB)\n" @@ -156,7 +156,7 @@ opts.ipv4 = 1; opts.ipv6 = 1; */ -#ifdef DO_MOTD +#if DO_MOTD svr_opts.domotd = 1; #endif #ifndef DISABLE_SYSLOG @@ -210,7 +210,7 @@ opts.listen_fwd_all = 1; break; #endif -#ifdef INETD_MODE +#if INETD_MODE case 'i': svr_opts.inetdmode = 1; break; @@ -221,7 +221,7 @@ case 'P': next = &svr_opts.pidfile; break; -#ifdef DO_MOTD +#if DO_MOTD /* motd is displayed by default, -m turns it off */ case 'm': svr_opts.domotd = 0; diff -r ee7153a05ffc -r 1028b0111f89 svr-tcpfwd.c --- a/svr-tcpfwd.c Thu Feb 15 23:30:54 2018 +0800 +++ b/svr-tcpfwd.c Fri Feb 16 23:17:48 2018 +0800 @@ -35,7 +35,7 @@ #include "auth.h" #include "netio.h" -#ifndef DROPBEAR_SVR_REMOTETCPFWD +#if !DROPBEAR_SVR_REMOTETCPFWD /* This is better than SSH_MSG_UNIMPLEMENTED */ void recv_msg_global_request_remotetcp() { diff -r ee7153a05ffc -r 1028b0111f89 sysoptions.h --- a/sysoptions.h Thu Feb 15 23:30:54 2018 +0800 +++ b/sysoptions.h Fri Feb 16 23:17:48 2018 +0800 @@ -192,7 +192,7 @@ #define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD)) -#define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_PRNGD_SOCKET)) +#define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_USE_PRNGD)) /* if we're using authorized_keys or known_hosts */ #define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH))