changeset 1557:61a793b6e471 fuzz

merge from main
author Matt Johnston <matt@ucc.asn.au>
date Wed, 28 Feb 2018 21:28:59 +0800
parents bb8eaa26bc93 (current diff) 4c382cbb19e6 (diff)
children 2f64cb3d3007
files Makefile.in configure.ac runopts.h svr-auth.c svr-runopts.c
diffstat 13 files changed, 70 insertions(+), 22 deletions(-) [+]
line wrap: on
line diff
--- a/.hgsigs	Mon Feb 26 22:44:48 2018 +0800
+++ b/.hgsigs	Wed Feb 28 21:28:59 2018 +0800
@@ -23,3 +23,4 @@
 70705edee9dd29cd3d410f19fbd15cc3489313e2 0 iQIcBAABCgAGBQJW7CQRAAoJEESTFJTynGdzTj0QAJL38CKSZthBAeI9c6B+IlwIeT6kPZaPqk1pkycCTWOe87NiNU9abrsF+JrjTuRQiO1EpM2IvfQEIXTijUcMxvld3PnzrZDDv6UvBLtOkn3i++HSVRO0MOuTKI8gFDEPUxRtcaCKXEbqYnf1OTK25FT09Vb//qP9mK1thvlLJmbV+D2a9MkMK66rom1d1h+347IsuwsM+ycHjB80VVAQLA7VYLC5YIwmL17dSmcQLvetfikAMwwmUE+KES4qiLSaqOcAWcKcU67RZzgMMv5o0rESlQmv1nj0mHZtHoUR71sd21emPaRXLOr0oT5YogWUphKq2qVthRn2B06+vd3hPdtn92CmJw9j7zT2jl4OeSjNm9qfAajsRzHIANssFxkGAb7w/LxcMoO29JC+01iUUJMdOVm+4Ns6wGI7qxssWPKdB+VbQUDlHrXLR+sopO524uhkYoWB6DVfTj4R6tImaHtj5/VXON0lsYaLGj8cSH60emL6nNQ0lYV/bSlk6l0s+0x3uXGZnp9oKA+vqMzHfG3vJeMm6KUqtFVjUsYx+q8nHm5/SlWxj1EwnkH8s8ELKZAUXjd76nWEwJ7JFRNRSQWvjOUh3/rsOo4JopzZXPsjCjm+Vql9TG0X6hB21noai32oD5RvfhtR/NX6sXNS5TKZz/j/cMsMnAAsSKb6W7Jm
 9030ffdbe5625e35ed7189ab84a41dfc8d413e9c 0 iQIcBAABCgAGBQJXkOg0AAoJEESTFJTynGdzc1kP/3vSKCnhOOvjCjnpTQadYcCUq8vTNnfLHYVu0R4ItPa/jT6RmxoaYP+lZnLnnBx9+aX7kzwHsa9BUX3MbMEyLrOzX2I+bDJbNPhQyupyCuPYlf5Q9KVcO9YlpbsC4q5XBzCn3j2+pT8kSfi9uD8fgY3TgE4w9meINrfQAealfjwMLT8S/I49/ni0r+usSfk/dnSShJYDUO7Ja0VWbJea/GkkZTu30bCnMUZPjRApipU3hPP63WFjkSMT1rp2mAXbWqyr9lf8z32yxzM9nMSjq4ViRFzFlkGtE3EVRJ4PwkO7JuiWAMPJpiQcEr+r52cCsmWhiGyHuINo01MwoMO9/n6uL1WVa3mJcE9se3xBOvfgDu2FRFGCAdm1tef+AGVo9EG1uJXi0sX2yUc6DMeuYaRWrXMMlZh7zp9cuNU9Y/lLui9RFmq66yeXG3Z2B72doju3Ig5QGrNNw2AOsSzeHdAtOp6ychqPcl9QfIeJQG18KyPSefZKM3G8YRKBRIwXFEH6iZJe5ZIP4iXrHDMn2JqtTRtDqKR8VNDAgb9z4Ffx8QRxFyj5JzTTMM1GddHb9udLvTQlO0ULYG7hCSMRNzvUBE2aTw8frjLRyfyyg3QpDu/hz8op8s1ecE8rTCD8RuX9DiiylNozypPtGNS+UDbAmkc1PCWaRpPVl+9K6787
 5c9207ceedaea794f958224c19214d66af6e2d56 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlkdtooACgkQRJMUlPKcZ3P6ZxAAmLy/buZB/d96DJF/pViRWt/fWdjQFC4MqWfeSLW02OZ8Qkm1vPL3ln6WPHC2thy3xZWVg2uan3pLk/XXnsIFu8Q7r1EAfFFpvlMUmdl7asE8V6ilaeqmiI7bIvGMFbf4cZkQliLjiFkJX56tFHRCNi+rb7WgRuru3/GzPXUq2AvXZvFpFJgik0B72TxVlmCKeBRZq1FvP0UhAH48RJWYJksdEyzh2paMfjX9ZO5Q2SFFrmPw6k2ArdJFC1AYcgceZC84y06RKJ0WiSntUPlEUXgQbQVVWbtQDhjfJXMr/beuroNdT/vsRraLVkAzvhaDXNnHlAJNLQxci+AcLpnzZhxMW+ax7RRtrpXGxRN4cs0lBGUcSkaDybFqMYXwEjXAE8w6fdJRWCIlxctkAW/iNEO4kAG97hI2Qwcw5oU2Ymnv09zyGR+XJE35pJqPulJHExdwanJHvmjH0QF7TNFS82yxS5dKnP954cj3Lu9SWGYWjxQJRmLtOwb+lqqol4VTxG7Ois4uef9/Tpp9skeMZXVeNlpn2wrp6iFcX3uiiVDg9VKkl3ig6UqCiqQSuiIN87RXwUOeHXlCnW3adz3Xei0ziBrwLSql7lBIHGEAlUUNmJ3CrR8IwQtcynGEMKfNIeZ/XK+uNlm9cJIqZf1fzqc8KexlyS9AS0i/kiYZTr4=
+2f0c3f3361d3ea4eb9129ed8810699fda7e7a8ee 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlqVb+IACgkQRJMUlPKcZ3OENA//R9HsOUJQB2QZjRgAvqgLn2AMLUvmWb2etTZEc3Nps957Fw1F4kjh6VGfIpWuytfsDx1W8qRx09ikTdb3YteMWCuX8/aFreSPrioYmzrAEcxkZdA7B/jciqU0iXuHiJ9saKk5TR70aNp+iRy0hjAgiYEsVMF9YKHzULOJcHr70x9XVKquubQkwNqJA+/b2JbK2j46wM5nVK/alGSI2kMmEzXmAHQxsvf1OLMvgH8ou/l0xsg/CuFEK299XKfZAbsFEXrjuoWZ1aSa6rTeOWsWli5T+czyyJHI4Eu0Sz/gaR8+MPhJSYes8YjvzEdv32rRMDVOdBq4e+HoTgFt/THYABP6/R1H5fX3Lm4K8u9F9SwJbb/YKRAIrfWDob8ApnGFHk2dyYO20Fskbbg6b1pC7ulDWsufu8lYkQyMlTc3dR6P4eTB6mKO4x+gMG6tIYZ60fiULoEnMJCgegPtevmz+TG1rzdjh3ljiw9Dxz5lNtL+W7sBKKHwhyG0u+bavgmvBMKNL/rdHEM+0yCIz1U6Lb8sVaST1E4zbdm7cWHbSozBij3G0GBSkLFEq7ZLlh8wco9rELRh0Y9fFsWY9j6H/PTOu0GfHrYluFb9WGywHAquQY8j2croRx+MrvTbR1wZrbevPNm9gqk3vgOiDWu7KwxLLqcj+dEQ7tccptVYtbM=
--- a/.hgtags	Mon Feb 26 22:44:48 2018 +0800
+++ b/.hgtags	Wed Feb 28 21:28:59 2018 +0800
@@ -55,3 +55,4 @@
 309e1c4a87682b6ca7d80b8555a1db416c3cb7ac DROPBEAR_2016.73
 0ed3d2bbf956cb8a9bf0f4b5a86b7dd9688205cb DROPBEAR_2016.74
 c31276613181c5cff7854e7ef586ace03424e55e DROPBEAR_2017.75
+1c66ca4f3791c82501c88e7637312182c7294978 DROPBEAR_2018.76
--- a/CHANGES	Mon Feb 26 22:44:48 2018 +0800
+++ b/CHANGES	Wed Feb 28 21:28:59 2018 +0800
@@ -1,6 +1,7 @@
-Upcoming...
+2018.76 - 27 February 2018
 
-- IMPORTANT:
+> > > Configuration/compatibility changes
+  IMPORTANT
   Custom configuration is now specified in local_options.h rather than options.h
   Available options and defaults can be seen in default_options.h
 
@@ -9,10 +10,10 @@
   be put in localoptions.h
 
 - "configure --enable-static" should now be used instead of "make STATIC=1"
+  This will avoid 'hardened build' flags that conflict with static binaries
 
-- Add group14-256 and group16 key exchange options
-
-- Set hardened build flags by default if supported by the compiler.
+- Set 'hardened build' flags by default if supported by the compiler.
+  These can be disabled with configure --disable-harden if needed.
   -Wl,-pie
   -Wl,-z,now -Wl,-z,relro
   -fstack-protector-strong
@@ -21,9 +22,24 @@
   -mfunction-return=thunk
   -mindirect-branch=thunk
 
-  These can be disabled with configure --disable-harden if needed
   Spectre patch from Loganaden Velvindron
 
+- "dropbear -r" option for hostkeys no longer attempts to load the default
+  hostkey paths as well. If desired these can be specified manually. 
+  Patch from CamVan Nguyen
+
+- group1-sha1 key exchange is disabled in the server by default since
+  the fixed 1024-bit group may be susceptible to attacks
+
+- twofish ciphers are now disabled in the default configuration
+
+- Default generated ECDSA key size is now 256 (rather than 521) 
+  for better interoperability
+
+- Minimum RSA key length has been increased to 1024 bits
+
+> > > Other features and fixes
+
 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant
 
 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
@@ -31,18 +47,25 @@
 
 - Add "-c forced_command" option. Patch from Jeremy Kerr
 
+- Restricted group -G option added with patch from stellarpower
+
 - Support server-chosen TCP forwarding ports, patch from houseofkodai
 
 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
   Patch from houseofkodai
 
-- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
+- Makefile will now rebuild object files when header files are modified
+
+- Add group14-256 and group16 key exchange options
 
-- Minimum RSA key length has been increased to 1024 bits
+- curve25519-sha256 also supported without @libssh.org suffix
+
+- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
+  This fixes building with some recent versions of clang
 
 - Set PAM_RHOST which is needed by modules such as pam_abl
 
-- Improvements to DSS public key validation, found by OSS-Fuzz. 
+- Improvements to DSS and RSA public key validation, found by OSS-Fuzz. 
 
 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz
 
--- a/Makefile.in	Mon Feb 26 22:44:48 2018 +0800
+++ b/Makefile.in	Wed Feb 28 21:28:59 2018 +0800
@@ -19,6 +19,7 @@
 
 ifeq (@BUNDLED_LIBTOM@, 1)
 LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) 
+LIBTOM_CLEAN=ltc-clean ltm-clean
 CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/
 LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM)
 endif
@@ -226,7 +227,7 @@
 sizes: dropbear
 	objdump -t dropbear|grep ".text"|cut -d "." -f 2|sort -rn
 
-clean: ltc-clean ltm-clean thisclean
+clean: $(LIBTOM_CLEAN) thisclean
 
 thisclean:
 	-rm -f dropbear$(EXEEXT) dbclient$(EXEEXT) dropbearkey$(EXEEXT) \
--- a/README	Mon Feb 26 22:44:48 2018 +0800
+++ b/README	Wed Feb 28 21:28:59 2018 +0800
@@ -8,8 +8,8 @@
 
 SMALL has some tips on creating small binaries.
 
-See TODO for a few of the things I know need looking at, and please contact
-me if you have any questions/bugs found/features/ideas/comments etc :)
+Please contact me if you have any questions/bugs found/features/ideas/comments etc :)
+There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear
 
 Matt Johnston
 [email protected]
--- a/configure.ac	Mon Feb 26 22:44:48 2018 +0800
+++ b/configure.ac	Wed Feb 28 21:28:59 2018 +0800
@@ -339,9 +339,9 @@
 # Checks for header files.
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h \
-	string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h \
-	pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h \
+AC_CHECK_HEADERS([netinet/in.h netinet/tcp.h \
+	crypt.h \
+	pty.h libutil.h libgen.h inttypes.h stropts.h utmp.h \
 	utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h \
 	pam/pam_appl.h netinet/in_systm.h sys/uio.h linux/pkt_sched.h])
 
@@ -498,7 +498,6 @@
 
 AC_CHECK_FUNCS(explicit_bzero memset_s)
 
-
 AC_ARG_ENABLE(bundled-libtom,
 [  --enable-bundled-libtom       Force using bundled libtomcrypt/libtommath even if a system version exists.
   --disable-bundled-libtom      Force using system libtomcrypt/libtommath, fail if it does not exist.
@@ -794,7 +793,9 @@
 AC_PROG_GCC_TRADITIONAL
 AC_FUNC_MEMCMP
 AC_FUNC_SELECT_ARGTYPES
-AC_CHECK_FUNCS([dup2 getpass getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev])
+AC_CHECK_FUNCS([getpass getspnam getusershell putenv])
+AC_CHECK_FUNCS([clearenv strlcpy strlcat daemon basename _getpty getaddrinfo ])
+AC_CHECK_FUNCS([freeaddrinfo getnameinfo fork writev getgrouplist])
 
 AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
 
--- a/debian/changelog	Mon Feb 26 22:44:48 2018 +0800
+++ b/debian/changelog	Wed Feb 28 21:28:59 2018 +0800
@@ -1,3 +1,9 @@
+dropbear (2018.76-0.1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Matt Johnston <[email protected]>  Tue, 27 Feb 2018 22:51:57 +0800
+
 dropbear (2017.75-0.1) unstable; urgency=low
 
   * New upstream release.
--- a/debian/dropbear.docs	Mon Feb 26 22:44:48 2018 +0800
+++ b/debian/dropbear.docs	Wed Feb 28 21:28:59 2018 +0800
@@ -1,4 +1,3 @@
 README
-TODO
 debian/README.runit
 debian/README.Debian.diet
--- a/runopts.h	Mon Feb 26 22:44:48 2018 +0800
+++ b/runopts.h	Wed Feb 28 21:28:59 2018 +0800
@@ -92,8 +92,14 @@
 #endif
 
 	int norootlogin;
+
+#ifdef HAVE_GETGROUPLIST
+	/* restrict_group is the group name if group restriction was enabled, 
+	NULL otherwise */
 	char *restrict_group;
+	/* restrict_group_gid is only valid if restrict_group is set */
 	gid_t restrict_group_gid;
+#endif
 
 	int noauthpass;
 	int norootpass;
--- a/svr-auth.c	Mon Feb 26 22:44:48 2018 +0800
+++ b/svr-auth.c	Wed Feb 28 21:28:59 2018 +0800
@@ -197,6 +197,7 @@
 	m_free(methodname);
 }
 
+#ifdef HAVE_GETGROUPLIST
 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) {
 	int ngroups, i, ret;
@@ -230,7 +231,7 @@
 
 	return match;
 }
-
+#endif
 
 /* Check that the username exists and isn't disallowed (root), and has a valid shell.
  * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
@@ -300,6 +301,7 @@
 	}
 
 	/* check for login restricted to certain group if desired */
+#ifdef HAVE_GETGROUPLIST
 	if (svr_opts.restrict_group) {
 		if (check_group_membership(svr_opts.restrict_group_gid,
 				ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) {
@@ -310,6 +312,7 @@
 			return DROPBEAR_FAILURE;
 		}
 	}
+#endif HAVE_GETGROUPLIST
 
 	TRACE(("shell is %s", ses.authstate.pw_shell))
 
--- a/svr-runopts.c	Mon Feb 26 22:44:48 2018 +0800
+++ b/svr-runopts.c	Wed Feb 28 21:28:59 2018 +0800
@@ -70,7 +70,9 @@
 					"-m		Don't display the motd on login\n"
 #endif
 					"-w		Disallow root logins\n"
+#ifdef HAVE_GETGROUPLIST
 					"-G		Restrict logins to members of specified group\n"
+#endif
 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
 					"-s		Disable password logins\n"
 					"-g		Disable password logins for root\n"
@@ -135,8 +137,10 @@
 	svr_opts.forced_command = NULL;
 	svr_opts.forkbg = 1;
 	svr_opts.norootlogin = 0;
+#ifdef HAVE_GETGROUPLIST
 	svr_opts.restrict_group = NULL;
 	svr_opts.restrict_group_gid = 0;
+#endif
 	svr_opts.noauthpass = 0;
 	svr_opts.norootpass = 0;
 	svr_opts.allowblankpass = 0;
@@ -235,9 +239,11 @@
 				case 'w':
 					svr_opts.norootlogin = 1;
 					break;
+#ifdef HAVE_GETGROUPLIST
 				case 'G':
 					next = &svr_opts.restrict_group;
 					break;
+#endif
 				case 'W':
 					next = &recv_window_arg;
 					break;
@@ -340,6 +346,7 @@
 		buf_setpos(svr_opts.banner, 0);
 	}
 
+#ifdef HAVE_GETGROUPLIST
 	if (svr_opts.restrict_group) {
 		struct group *restrictedgroup = getgrnam(svr_opts.restrict_group);
 
@@ -348,8 +355,8 @@
 		} else {
 			dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group);
 		}
-
 	}
+#endif
 	
 	if (recv_window_arg) {
 		opts.recv_window = atol(recv_window_arg);
--- a/svr-tcpfwd.c	Mon Feb 26 22:44:48 2018 +0800
+++ b/svr-tcpfwd.c	Wed Feb 28 21:28:59 2018 +0800
@@ -86,7 +86,7 @@
 	}
 
 	if (strcmp("tcpip-forward", reqname) == 0) {
-		int allocated_listen_port;
+		int allocated_listen_port = 0;
 		ret = svr_remotetcpreq(&allocated_listen_port);
 		/* client expects-port-number-to-make-use-of-server-allocated-ports */
 		if (DROPBEAR_SUCCESS == ret) {
--- a/sysoptions.h	Mon Feb 26 22:44:48 2018 +0800
+++ b/sysoptions.h	Wed Feb 28 21:28:59 2018 +0800
@@ -4,7 +4,7 @@
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2017.75"
+#define DROPBEAR_VERSION "2018.76"
 #endif
 
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION