merge coverity
--HG--
branch : coverity
diff --git a/.hgsigs b/.hgsigs
index fb2aa02..65c0ce2 100644
--- a/.hgsigs
+++ b/.hgsigs
@@ -20,3 +20,5 @@
5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL
926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW
fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzuOcP/j6tvB2WRwSj39KoJuRcRebFWWv4ZHiQXYMXWa3X0Ppzz52r9W0cXDjjlp5FyGdovCQsK+IXmjPo5cCvWBrZJYA6usFr9ssnUtTC+45lvPxPYwj47ZGPngCXDt7LD+v08XhqCu4LsctXIP/zejd30KVS1eR2RHI+tnEyaIKC0Xaa0igcv74MZX7Q8/U+B730QMX5adfYAHoeyRhoctRWaxVV3To7Vadd9jNXP45MRY5auhRcK7XyQcS85vJeCRoysfDUas4ERRQWYkX+68GyzO9GrkYFle931Akw2K6ZZfUuiC2TrF5xv1eRP1Zm2GX481U4ZGFTI8IzZL8sVQ6tvzq2Mxsecu589JNui9aB2d8Gp2Su/E2zn0h0ShIRmviGzf2HiBt+Bnji5X2h/fJKWbLaWge0MdOU5Jidfyh9k0YT7xo4piJLJYSaZ3nv+j4jTYnTfL7uYvuWbYkJ1T32aQVCan7Eup3BFAgQjzbWYi1XQVg6fvu8uHPpS3tNNA9EAMeeyTyg1l6zI2EIU5gPfd/dKmdyotY2lZBkFZNJqFkKRZuzjWekcw7hAxS+Bd68GKklt/DGrQiVycAgimqwXrfkzzQagawq2fXL2uXB8ghlsyxKLSQPnAtBF2Jcn5FH2z7HOQ+e18ZrFfNy0cYa/4OdH6K5aK1igTzhZZP2Urn0
+70705edee9dd29cd3d410f19fbd15cc3489313e2 0 iQIcBAABCgAGBQJW7CQRAAoJEESTFJTynGdzTj0QAJL38CKSZthBAeI9c6B+IlwIeT6kPZaPqk1pkycCTWOe87NiNU9abrsF+JrjTuRQiO1EpM2IvfQEIXTijUcMxvld3PnzrZDDv6UvBLtOkn3i++HSVRO0MOuTKI8gFDEPUxRtcaCKXEbqYnf1OTK25FT09Vb//qP9mK1thvlLJmbV+D2a9MkMK66rom1d1h+347IsuwsM+ycHjB80VVAQLA7VYLC5YIwmL17dSmcQLvetfikAMwwmUE+KES4qiLSaqOcAWcKcU67RZzgMMv5o0rESlQmv1nj0mHZtHoUR71sd21emPaRXLOr0oT5YogWUphKq2qVthRn2B06+vd3hPdtn92CmJw9j7zT2jl4OeSjNm9qfAajsRzHIANssFxkGAb7w/LxcMoO29JC+01iUUJMdOVm+4Ns6wGI7qxssWPKdB+VbQUDlHrXLR+sopO524uhkYoWB6DVfTj4R6tImaHtj5/VXON0lsYaLGj8cSH60emL6nNQ0lYV/bSlk6l0s+0x3uXGZnp9oKA+vqMzHfG3vJeMm6KUqtFVjUsYx+q8nHm5/SlWxj1EwnkH8s8ELKZAUXjd76nWEwJ7JFRNRSQWvjOUh3/rsOo4JopzZXPsjCjm+Vql9TG0X6hB21noai32oD5RvfhtR/NX6sXNS5TKZz/j/cMsMnAAsSKb6W7Jm
+9030ffdbe5625e35ed7189ab84a41dfc8d413e9c 0 iQIcBAABCgAGBQJXkOg0AAoJEESTFJTynGdzc1kP/3vSKCnhOOvjCjnpTQadYcCUq8vTNnfLHYVu0R4ItPa/jT6RmxoaYP+lZnLnnBx9+aX7kzwHsa9BUX3MbMEyLrOzX2I+bDJbNPhQyupyCuPYlf5Q9KVcO9YlpbsC4q5XBzCn3j2+pT8kSfi9uD8fgY3TgE4w9meINrfQAealfjwMLT8S/I49/ni0r+usSfk/dnSShJYDUO7Ja0VWbJea/GkkZTu30bCnMUZPjRApipU3hPP63WFjkSMT1rp2mAXbWqyr9lf8z32yxzM9nMSjq4ViRFzFlkGtE3EVRJ4PwkO7JuiWAMPJpiQcEr+r52cCsmWhiGyHuINo01MwoMO9/n6uL1WVa3mJcE9se3xBOvfgDu2FRFGCAdm1tef+AGVo9EG1uJXi0sX2yUc6DMeuYaRWrXMMlZh7zp9cuNU9Y/lLui9RFmq66yeXG3Z2B72doju3Ig5QGrNNw2AOsSzeHdAtOp6ychqPcl9QfIeJQG18KyPSefZKM3G8YRKBRIwXFEH6iZJe5ZIP4iXrHDMn2JqtTRtDqKR8VNDAgb9z4Ffx8QRxFyj5JzTTMM1GddHb9udLvTQlO0ULYG7hCSMRNzvUBE2aTw8frjLRyfyyg3QpDu/hz8op8s1ecE8rTCD8RuX9DiiylNozypPtGNS+UDbAmkc1PCWaRpPVl+9K6787
diff --git a/.hgtags b/.hgtags
index e9263f5..0cae712 100644
--- a/.hgtags
+++ b/.hgtags
@@ -52,3 +52,5 @@
79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70
9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71
78b12b6549be08b0bea3da329b2578060a76ca31 DROPBEAR_2016.72
+309e1c4a87682b6ca7d80b8555a1db416c3cb7ac DROPBEAR_2016.73
+0ed3d2bbf956cb8a9bf0f4b5a86b7dd9688205cb DROPBEAR_2016.74
diff --git a/.travis.yml b/.travis.yml
index 4c4c0cc..f503d02 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,7 +16,9 @@
script:
- autoconf && autoheader && ./configure CFLAGS="-O2 -Wall -Wno-pointer-sign" --prefix="$HOME/inst"
- - make -j3 install
+ - make -j3
+ # avoid concurrent install, osx/freebsd is racey (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208093)
+ - make install
env:
global:
diff --git a/CHANGES b/CHANGES
index ceb01be..95becd4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,35 @@
+2016.74 - 21 July 2016
+
+- Security: Message printout was vulnerable to format string injection.
+
+ If specific usernames including "%" symbols can be created on a system
+ (validated by getpwnam()) then an attacker could run arbitrary code as root
+ when connecting to Dropbear server.
+
+ A dbclient user who can control username or host arguments could potentially
+ run arbitrary code as the dbclient user. This could be a problem if scripts
+ or webpages pass untrusted input to the dbclient program.
+
+- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
+ the local dropbearconvert user when parsing malicious key files
+
+- Security: dbclient could run arbitrary code as the local dbclient user if
+ particular -m or -c arguments are provided. This could be an issue where
+ dbclient is used in scripts.
+
+- Security: dbclient or dropbear server could expose process memory to the
+ running user if compiled with DEBUG_TRACE and running with -v
+
+ The security issues were reported by an anonymous researcher working with
+ Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html
+
+- Fix port forwarding failure when connecting to domains that have both
+ IPv4 and IPv6 addresses. The bug was introduced in 2015.68
+
+- Fix 100% CPU use while waiting for rekey to complete. Thanks to Zhang Hui P
+ for the patch
+
+
2016.73 - 18 March 2016
- Support syslog in dbclient, option -o usesyslog=yes. Patch from Konstantin Tokarev
diff --git a/Makefile.in b/Makefile.in
index d9bfdfa..dbd4745 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,6 +24,10 @@
LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM)
endif
+ifneq ($(wildcard localoptions.h),)
+CFLAGS+=-DLOCALOPTIONS_H_EXISTS
+endif
+
COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
dss.o bignum.o \
signkey.o rsa.o dbrandom.o \
@@ -76,6 +80,8 @@
sbindir=@sbindir@
mandir=@mandir@
+.DELETE_ON_ERROR:
+
CC=@CC@
AR=@AR@
RANLIB=@RANLIB@
@@ -155,7 +161,6 @@
inst_dropbearmulti: $(addprefix insmulti, $(PROGRAMS))
-
# for some reason the rule further down doesn't like $($@objs) as a prereq.
dropbear: $(dropbearobjs)
dbclient: $(dbclientobjs)
@@ -195,18 +200,18 @@
-ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT)
$(STATIC_LTC): options.h
- cd libtomcrypt && $(MAKE)
+ $(MAKE) -C libtomcrypt
$(STATIC_LTM): options.h
- cd libtommath && $(MAKE)
+ $(MAKE) -C libtommath
.PHONY : clean sizes thisclean distclean tidy ltc-clean ltm-clean
ltc-clean:
- cd libtomcrypt && $(MAKE) clean
+ $(MAKE) -C libtomcrypt clean
ltm-clean:
- cd libtommath && $(MAKE) clean
+ $(MAKE) -C libtommath clean
sizes: dropbear
objdump -t dropbear|grep ".text"|cut -d "." -f 2|sort -rn
@@ -215,7 +220,7 @@
thisclean:
-rm -f dropbear dbclient dropbearkey dropbearconvert scp scp-progress \
- dropbearmulti *.o *.da *.bb *.bbg *.prof
+ dropbearmulti *.o *.da *.bb *.bbg *.prof
distclean: clean tidy
-rm -f config.h
@@ -223,3 +228,11 @@
tidy:
-rm -f *~ *.gcov */*~
+
+# default_options.h is stored in version control, could not find a workaround
+# for parallel "make -j" and dependency rules.
+default_options.h: default_options.h.in
+ echo "# > > > Generated from $^, edit that file instead !" > $@.tmp
+ echo >> $@.tmp
+ $(srcdir)/ifndef_wrapper.sh < $^ > $@.tmp
+ mv $@.tmp $@
diff --git a/agentfwd.h b/agentfwd.h
index 53c297a..57bb55a 100644
--- a/agentfwd.h
+++ b/agentfwd.h
@@ -30,7 +30,7 @@
#include "auth.h"
#include "list.h"
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
/* An agent reply can be reasonably large, as it can
* contain a list of all public keys held by the agent.
@@ -50,14 +50,14 @@
extern const struct ChanType cli_chan_agent;
-#endif /* ENABLE_CLI_AGENTFWD */
+#endif /* DROPBEAR_CLI_AGENTFWD */
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
int svr_agentreq(struct ChanSess * chansess);
void svr_agentcleanup(struct ChanSess * chansess);
void svr_agentset(struct ChanSess *chansess);
-#endif /* ENABLE_SVR_AGENTFWD */
+#endif /* DROPBEAR_SVR_AGENTFWD */
#endif /* DROPBEAR_AGENTFWD_H_ */
diff --git a/algo.h b/algo.h
index 49c4f41..c793115 100644
--- a/algo.h
+++ b/algo.h
@@ -83,9 +83,15 @@
};
enum dropbear_kex_mode {
+#if DROPBEAR_NORMAL_DH
DROPBEAR_KEX_NORMAL_DH,
+#endif
+#if DROPBEAR_ECDH
DROPBEAR_KEX_ECDH,
+#endif
+#if DROPBEAR_CURVE25519
DROPBEAR_KEX_CURVE25519,
+#endif
};
struct dropbear_kex {
@@ -96,7 +102,7 @@
const int dh_p_len;
/* elliptic curve DH KEX */
-#ifdef DROPBEAR_ECDH
+#if DROPBEAR_ECDH
const struct dropbear_ecc_curve *ecc_curve;
#else
const void* dummy;
@@ -122,7 +128,7 @@
algo_type * buf_match_algo(buffer* buf, algo_type localalgos[],
enum kexguess2_used *kexguess2, int *goodguess);
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
int check_user_algos(const char* user_algo_list, algo_type * algos,
const char *algo_desc);
char * algolist_string(algo_type algos[]);
diff --git a/auth.h b/auth.h
index b772f18..fb3a754 100644
--- a/auth.h
+++ b/auth.h
@@ -41,7 +41,7 @@
void svr_auth_pubkey(void);
void svr_auth_pam(void);
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
int svr_pubkey_allows_agentfwd(void);
int svr_pubkey_allows_tcpfwd(void);
int svr_pubkey_allows_x11fwd(void);
@@ -119,12 +119,12 @@
char *pw_shell;
char *pw_name;
char *pw_passwd;
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
struct PubKeyOptions* pubkey_options;
#endif
};
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
struct PubKeyOptions;
struct PubKeyOptions {
/* Flags */
diff --git a/buffer.c b/buffer.c
index cd974e3..d646c0e 100644
--- a/buffer.c
+++ b/buffer.c
@@ -141,9 +141,10 @@
/* increment the position by incr, negative values are allowed, to
* decrement the pos*/
void buf_incrpos(buffer* buf, int incr) {
- if (incr > BUF_MAX_INCR ||
- (unsigned int)((int)buf->pos + incr) > buf->len
- || ((int)buf->pos + incr) < 0) {
+ if (incr > BUF_MAX_INCR
+ || incr < -BUF_MAX_INCR
+ || (unsigned int)((int)buf->pos + incr) > buf->len
+ || ((int)buf->pos + incr) < 0) {
dropbear_exit("Bad buf_incrpos");
}
buf->pos += incr;
@@ -184,7 +185,7 @@
* the next len bytes from that position can be used */
unsigned char* buf_getptr(buffer* buf, unsigned int len) {
- if (buf->pos + len > buf->len) {
+ if (len > BUF_MAX_INCR || buf->pos + len > buf->len) {
dropbear_exit("Bad buf_getptr");
}
return &buf->data[buf->pos];
@@ -194,7 +195,7 @@
* This allows writing past the used length, but not past the size */
unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
- if (buf->pos + len > buf->size) {
+ if (len > BUF_MAX_INCR || buf->pos + len > buf->size) {
dropbear_exit("Bad buf_getwriteptr");
}
return &buf->data[buf->pos];
diff --git a/channel.h b/channel.h
index efac157..5499755 100644
--- a/channel.h
+++ b/channel.h
@@ -126,11 +126,11 @@
void common_recv_msg_channel_data(struct Channel *channel, int fd,
circbuffer * buf);
-#ifdef DROPBEAR_CLIENT
+#if DROPBEAR_CLIENT
extern const struct ChanType clichansess;
#endif
-#if defined(USING_LISTENERS) || defined(DROPBEAR_CLIENT)
+#if DROPBEAR_LISTENERS || DROPBEAR_CLIENT
int send_msg_channel_open_init(int fd, const struct ChanType *type);
void recv_msg_channel_open_confirmation(void);
void recv_msg_channel_open_failure(void);
diff --git a/chansession.h b/chansession.h
index 3b39fdc..18fd114 100644
--- a/chansession.h
+++ b/chansession.h
@@ -58,7 +58,7 @@
/* Used to set $SSH_CLIENT in the child session. */
char *client_string;
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
struct Listener * x11listener;
int x11port;
char * x11authprot;
@@ -67,13 +67,13 @@
unsigned char x11singleconn;
#endif
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
struct Listener * agentlistener;
char * agentfile;
char * agentdir;
#endif
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
char *original_command;
#endif
};
@@ -89,7 +89,7 @@
void cli_send_chansess_request(void);
void cli_tty_cleanup(void);
void cli_chansess_winchange(void);
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
void cli_send_netcat_request(void);
#endif
diff --git a/cli-agentfwd.c b/cli-agentfwd.c
index c9bc9db..5b0ea81 100644
--- a/cli-agentfwd.c
+++ b/cli-agentfwd.c
@@ -24,7 +24,7 @@
#include "includes.h"
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
#include "agentfwd.h"
#include "session.h"
diff --git a/cli-auth.c b/cli-auth.c
index 59d455b..3914c58 100644
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -51,7 +51,7 @@
encrypt_packet();
-#ifdef DROPBEAR_CLI_IMMEDIATE_AUTH
+#if DROPBEAR_CLI_IMMEDIATE_AUTH
/* We can't haven't two auth requests in-flight with delayed zlib mode
since if the first one succeeds then the remote side will
expect the second one to be compressed.
@@ -78,6 +78,7 @@
char* banner = NULL;
unsigned int bannerlen;
unsigned int i, linecount;
+ int truncated = 0;
TRACE(("enter recv_msg_userauth_banner"))
if (ses.authstate.authdone) {
@@ -90,26 +91,29 @@
if (bannerlen > MAX_BANNER_SIZE) {
TRACE(("recv_msg_userauth_banner: bannerlen too long: %d", bannerlen))
- goto out;
- }
+ truncated = 1;
+ } else {
+ cleantext(banner);
- cleantext(banner);
-
- /* Limit to 25 lines */
- linecount = 1;
- for (i = 0; i < bannerlen; i++) {
- if (banner[i] == '\n') {
- if (linecount >= MAX_BANNER_LINES) {
- banner[i] = '\0';
- break;
+ /* Limit to 24 lines */
+ linecount = 1;
+ for (i = 0; i < bannerlen; i++) {
+ if (banner[i] == '\n') {
+ if (linecount >= MAX_BANNER_LINES) {
+ banner[i] = '\0';
+ truncated = 1;
+ break;
+ }
+ linecount++;
}
- linecount++;
}
+ fprintf(stderr, "%s\n", banner);
}
- fprintf(stderr, "%s\n", banner);
+ if (truncated) {
+ fprintf(stderr, "[Banner from the server is too long]\n");
+ }
-out:
m_free(banner);
TRACE(("leave recv_msg_userauth_banner"))
}
@@ -121,21 +125,21 @@
* SSH_MSG_USERAUTH_INFO_REQUEST. */
void recv_msg_userauth_specific_60() {
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
recv_msg_userauth_pk_ok();
return;
}
#endif
-#ifdef ENABLE_CLI_INTERACT_AUTH
+#if DROPBEAR_CLI_INTERACT_AUTH
if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT) {
recv_msg_userauth_info_request();
return;
}
#endif
-#ifdef ENABLE_CLI_PASSWORD_AUTH
+#if DROPBEAR_CLI_PASSWORD_AUTH
if (cli_ses.lastauthtype == AUTH_TYPE_PASSWORD) {
/* Eventually there could be proper password-changing
* support. However currently few servers seem to
@@ -179,7 +183,7 @@
TRACE(("leave recv_msg_userauth_failure, ignored response, state set to USERAUTH_REQ_SENT"));
return;
} else {
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
/* If it was a pubkey auth request, we should cross that key
* off the list. */
if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) {
@@ -187,7 +191,7 @@
}
#endif
-#ifdef ENABLE_CLI_INTERACT_AUTH
+#if DROPBEAR_CLI_INTERACT_AUTH
/* If we get a failure message for keyboard interactive without
* receiving any request info packet, then we don't bother trying
* keyboard interactive again */
@@ -227,19 +231,19 @@
for (i = 0; i <= methlen; i++) {
if (methods[i] == '\0') {
TRACE(("auth method '%s'", tok))
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
if (strncmp(AUTH_METHOD_PUBKEY, tok,
AUTH_METHOD_PUBKEY_LEN) == 0) {
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
}
#endif
-#ifdef ENABLE_CLI_INTERACT_AUTH
+#if DROPBEAR_CLI_INTERACT_AUTH
if (strncmp(AUTH_METHOD_INTERACT, tok,
AUTH_METHOD_INTERACT_LEN) == 0) {
ses.authstate.authtypes |= AUTH_TYPE_INTERACT;
}
#endif
-#ifdef ENABLE_CLI_PASSWORD_AUTH
+#if DROPBEAR_CLI_PASSWORD_AUTH
if (strncmp(AUTH_METHOD_PASSWORD, tok,
AUTH_METHOD_PASSWORD_LEN) == 0) {
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
@@ -267,7 +271,7 @@
cli_ses.state = USERAUTH_SUCCESS_RCVD;
cli_ses.lastauthtype = AUTH_TYPE_NONE;
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
cli_auth_pubkey_cleanup();
#endif
}
@@ -281,14 +285,14 @@
/* Order to try is pubkey, interactive, password.
* As soon as "finished" is set for one, we don't do any more. */
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) {
finished = cli_auth_pubkey();
cli_ses.lastauthtype = AUTH_TYPE_PUBKEY;
}
#endif
-#ifdef ENABLE_CLI_PASSWORD_AUTH
+#if DROPBEAR_CLI_PASSWORD_AUTH
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
@@ -300,7 +304,7 @@
}
#endif
-#ifdef ENABLE_CLI_INTERACT_AUTH
+#if DROPBEAR_CLI_INTERACT_AUTH
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) {
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
fprintf(stderr, "Sorry, I won't let you use interactive auth unencrypted.\n");
@@ -324,7 +328,7 @@
return DROPBEAR_FAILURE;
}
-#if defined(ENABLE_CLI_PASSWORD_AUTH) || defined(ENABLE_CLI_INTERACT_AUTH)
+#if DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_INTERACT_AUTH
/* A helper for getpass() that exits if the user cancels. The returned
* password is statically allocated by getpass() */
char* getpass_or_cancel(char* prompt)
diff --git a/cli-authinteract.c b/cli-authinteract.c
index 49d65a7..e1cc9a1 100644
--- a/cli-authinteract.c
+++ b/cli-authinteract.c
@@ -29,7 +29,7 @@
#include "ssh.h"
#include "runopts.h"
-#ifdef ENABLE_CLI_INTERACT_AUTH
+#if DROPBEAR_CLI_INTERACT_AUTH
static char* get_response(char* prompt)
{
@@ -172,4 +172,4 @@
TRACE(("leave cli_auth_interactive"))
}
-#endif /* ENABLE_CLI_INTERACT_AUTH */
+#endif /* DROPBEAR_CLI_INTERACT_AUTH */
diff --git a/cli-authpasswd.c b/cli-authpasswd.c
index 3cf49a2..00fdd8b 100644
--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
@@ -29,9 +29,9 @@
#include "ssh.h"
#include "runopts.h"
-#ifdef ENABLE_CLI_PASSWORD_AUTH
+#if DROPBEAR_CLI_PASSWORD_AUTH
-#ifdef ENABLE_CLI_ASKPASS_HELPER
+#if DROPBEAR_CLI_ASKPASS_HELPER
/* Returns 1 if we want to use the askpass program, 0 otherwise */
static int want_askpass()
{
@@ -113,7 +113,7 @@
TRACE(("leave gui_getpass"))
return(buf);
}
-#endif /* ENABLE_CLI_ASKPASS_HELPER */
+#endif /* DROPBEAR_CLI_ASKPASS_HELPER */
void cli_auth_password() {
@@ -125,7 +125,7 @@
snprintf(prompt, sizeof(prompt), "%s@%s's password: ",
cli_opts.username, cli_opts.remotehost);
-#ifdef ENABLE_CLI_ASKPASS_HELPER
+#if DROPBEAR_CLI_ASKPASS_HELPER
if (want_askpass())
{
password = gui_getpass(prompt);
@@ -158,4 +158,4 @@
TRACE(("leave cli_auth_password"))
}
-#endif /* ENABLE_CLI_PASSWORD_AUTH */
+#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
diff --git a/cli-authpubkey.c b/cli-authpubkey.c
index d53178e..b60c5c9 100644
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -32,7 +32,7 @@
#include "auth.h"
#include "agentfwd.h"
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign);
/* Called when we receive a SSH_MSG_USERAUTH_FAILURE for a pubkey request.
@@ -122,7 +122,7 @@
void cli_buf_put_sign(buffer* buf, sign_key *key, int type,
buffer *data_buf) {
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
if (key->source == SIGNKEY_SOURCE_AGENT) {
/* Format the agent signature ourselves, as buf_put_sign would. */
buffer *sigblob;
@@ -131,7 +131,7 @@
buf_putbufstring(buf, sigblob);
buf_free(sigblob);
} else
-#endif /* ENABLE_CLI_AGENTFWD */
+#endif /* DROPBEAR_CLI_AGENTFWD */
{
buf_put_sign(buf, key, type, data_buf);
}
@@ -185,7 +185,7 @@
TRACE(("enter cli_auth_pubkey"))
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
if (!cli_opts.agent_keys_loaded) {
/* get the list of available keys from the agent */
cli_load_agent_keys(cli_opts.privkeys);
@@ -209,7 +209,7 @@
void cli_auth_pubkey_cleanup() {
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
m_close(cli_opts.agent_fd);
cli_opts.agent_fd = -1;
#endif
diff --git a/cli-chansession.c b/cli-chansession.c
index 0f92e8a..c2086f2 100644
--- a/cli-chansession.c
+++ b/cli-chansession.c
@@ -355,7 +355,7 @@
cli_init_stdpipe_sess(channel);
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
if (cli_opts.agent_fwd) {
cli_setup_agent(channel);
}
@@ -379,7 +379,7 @@
return 0; /* Success */
}
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
static const struct ChanType cli_chan_netcat = {
0, /* sepfds */
diff --git a/cli-kex.c b/cli-kex.c
index 936b95c..0764cc0 100644
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -48,6 +48,7 @@
CHECKCLEARTOWRITE();
buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
case DROPBEAR_KEX_NORMAL_DH:
if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
|| !cli_ses.dh_param) {
@@ -58,8 +59,9 @@
}
buf_putmpint(ses.writepayload, &cli_ses.dh_param->pub);
break;
+#endif
+#if DROPBEAR_ECDH
case DROPBEAR_KEX_ECDH:
-#ifdef DROPBEAR_ECDH
if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
|| !cli_ses.ecdh_param) {
if (cli_ses.ecdh_param) {
@@ -68,9 +70,9 @@
cli_ses.ecdh_param = gen_kexecdh_param();
}
buf_put_ecc_raw_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key);
-#endif
break;
-#ifdef DROPBEAR_CURVE25519
+#endif
+#if DROPBEAR_CURVE25519
case DROPBEAR_KEX_CURVE25519:
if (ses.newkeys->algo_kex != cli_ses.param_kex_algo
|| !cli_ses.curve25519_param) {
@@ -80,8 +82,8 @@
cli_ses.curve25519_param = gen_kexcurve25519_param();
}
buf_putstring(ses.writepayload, (const char*)cli_ses.curve25519_param->pub, CURVE25519_LEN);
-#endif
break;
+#endif
}
cli_ses.param_kex_algo = ses.newkeys->algo_kex;
@@ -118,6 +120,7 @@
}
switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
case DROPBEAR_KEX_NORMAL_DH:
{
DEF_MP_INT(dh_f);
@@ -131,37 +134,38 @@
mp_clear(&dh_f);
}
break;
+#endif
+#if DROPBEAR_ECDH
case DROPBEAR_KEX_ECDH:
-#ifdef DROPBEAR_ECDH
{
buffer *ecdh_qs = buf_getstringbuf(ses.payload);
kexecdh_comb_key(cli_ses.ecdh_param, ecdh_qs, hostkey);
buf_free(ecdh_qs);
}
-#endif
break;
-#ifdef DROPBEAR_CURVE25519
+#endif
+#if DROPBEAR_CURVE25519
case DROPBEAR_KEX_CURVE25519:
{
buffer *ecdh_qs = buf_getstringbuf(ses.payload);
kexcurve25519_comb_key(cli_ses.curve25519_param, ecdh_qs, hostkey);
buf_free(ecdh_qs);
}
-#endif
break;
+#endif
}
if (cli_ses.dh_param) {
free_kexdh_param(cli_ses.dh_param);
cli_ses.dh_param = NULL;
}
-#ifdef DROPBEAR_ECDH
+#if DROPBEAR_ECDH
if (cli_ses.ecdh_param) {
free_kexecdh_param(cli_ses.ecdh_param);
cli_ses.ecdh_param = NULL;
}
#endif
-#ifdef DROPBEAR_CURVE25519
+#if DROPBEAR_CURVE25519
if (cli_ses.curve25519_param) {
free_kexcurve25519_param(cli_ses.curve25519_param);
cli_ses.curve25519_param = NULL;
diff --git a/cli-main.c b/cli-main.c
index 787d770..121da22 100644
--- a/cli-main.c
+++ b/cli-main.c
@@ -35,13 +35,13 @@
static void cli_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN;
static void cli_dropbear_log(int priority, const char* format, va_list param);
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out);
static void kill_proxy_sighandler(int signo);
#endif
-#if defined(DBMULTI_dbclient) || !defined(DROPBEAR_MULTI)
-#if defined(DBMULTI_dbclient) && defined(DROPBEAR_MULTI)
+#if defined(DBMULTI_dbclient) || !DROPBEAR_MULTI
+#if defined(DBMULTI_dbclient) && DROPBEAR_MULTI
int cli_main(int argc, char ** argv) {
#else
int main(int argc, char ** argv) {
@@ -74,7 +74,7 @@
}
pid_t proxy_cmd_pid = 0;
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
if (cli_opts.proxycmd) {
cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
m_free(cli_opts.proxycmd);
@@ -98,29 +98,30 @@
#endif /* DBMULTI stuff */
static void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
+ char exitmsg[150];
+ char fullmsg[300];
- char fmtbuf[300];
- char exitmsg[500];
+ /* Note that exit message must be rendered before session cleanup */
+ /* Render the formatted exit message */
+ vsnprintf(exitmsg, sizeof(exitmsg), format, param);
+
+ /* Add the prefix depending on session/auth state */
if (!sessinitdone) {
- snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s",
- format);
+ snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg);
} else {
- snprintf(fmtbuf, sizeof(fmtbuf),
+ snprintf(fullmsg, sizeof(fullmsg),
"Connection to %s@%s:%s exited: %s",
cli_opts.username, cli_opts.remotehost,
- cli_opts.remoteport, format);
+ cli_opts.remoteport, exitmsg);
}
- /* Arguments to the exit printout may be unsafe to use after session_cleanup() */
- vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param);
-
/* Do the cleanup first, since then the terminal will be reset */
session_cleanup();
/* Avoid printing onwards from terminal cruft */
fprintf(stderr, "\n");
- dropbear_log(LOG_INFO, "%s", exitmsg);;
+ dropbear_log(LOG_INFO, "%s", fullmsg);
exit(exitcode);
}
@@ -150,7 +151,7 @@
dropbear_exit("Failed to run '%s'\n", cmd);
}
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
char * ex_cmd = NULL;
size_t ex_cmdlen;
@@ -175,4 +176,4 @@
kill_proxy_command();
_exit(1);
}
-#endif /* ENABLE_CLI_PROXYCMD */
+#endif /* DROPBEAR_CLI_PROXYCMD */
diff --git a/cli-runopts.c b/cli-runopts.c
index 24169c9..4a89ba3 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -37,13 +37,13 @@
static void parse_hostname(const char* orighostarg);
static void parse_multihop_hostname(const char* orighostarg, const char* argv0);
static void fill_own_user(void);
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
static void loadidentityfile(const char* filename, int warnfail);
#endif
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
static void addforward(const char* str, m_list *fwdlist);
#endif
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
static void add_netcat(const char *str);
#endif
static void add_extendedopt(const char *str);
@@ -51,7 +51,7 @@
static void printhelp() {
fprintf(stderr, "Dropbear SSH client v%s https://matt.ucc.asn.au/dropbear/dropbear.html\n"
-#ifdef ENABLE_CLI_MULTIHOP
+#if DROPBEAR_CLI_MULTIHOP
"Usage: %s [options] [user@]host[/port][,[user@]host/port],...] [command]\n"
#else
"Usage: %s [options] [user@]host[/port] [command]\n"
@@ -66,38 +66,38 @@
"-y -y Don't perform any remote host key checking (caution)\n"
"-s Request a subsystem (use by external sftp)\n"
"-o option Set option in OpenSSH-like format ('-o help' to list options)\n"
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
"-i <identityfile> (multiple allowed, default %s)\n"
#endif
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
"-A Enable agent auth forwarding\n"
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
"-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding\n"
"-g Allow remote hosts to connect to forwarded ports\n"
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
"-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding\n"
#endif
"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
"-K <keepalive> (0 is never, default %d)\n"
"-I <idle_timeout> (0 is never, default %d)\n"
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
"-B <endhost:endport> Netcat-alike forwarding\n"
#endif
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
"-J <proxy_program> Use program pipe rather than TCP connection\n"
#endif
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
"-c <cipher list> Specify preferred ciphers ('-c help' to list options)\n"
"-m <MAC list> Specify preferred MACs for packet verification (or '-m help')\n"
#endif
"-V Version\n"
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
"-v verbose (compiled with DEBUG_TRACE)\n"
#endif
,DROPBEAR_VERSION, cli_opts.progname,
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
DROPBEAR_DEFAULT_CLI_AUTHKEY,
#endif
DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
@@ -109,16 +109,16 @@
char ** next = 0;
enum {
OPT_EXTENDED_OPTIONS,
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
OPT_AUTHKEY,
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
OPT_LOCALTCPFWD,
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
OPT_REMOTETCPFWD,
#endif
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
OPT_NETCAT,
#endif
/* a flag (no arg) if 'next' is NULL, a string-valued option otherwise */
@@ -145,31 +145,31 @@
cli_opts.always_accept_key = 0;
cli_opts.no_hostkey_check = 0;
cli_opts.is_subsystem = 0;
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
cli_opts.privkeys = list_new();
#endif
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
cli_opts.exit_on_fwd_failure = 0;
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
cli_opts.localfwds = list_new();
opts.listen_fwd_all = 0;
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
cli_opts.remotefwds = list_new();
#endif
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
cli_opts.agent_fwd = 0;
cli_opts.agent_fd = -1;
cli_opts.agent_keys_loaded = 0;
#endif
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
cli_opts.proxycmd = NULL;
#endif
#ifndef DISABLE_ZLIB
opts.compress_mode = DROPBEAR_COMPRESS_ON;
#endif
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
opts.cipher_list = NULL;
opts.mac_list = NULL;
#endif
@@ -213,7 +213,7 @@
case 'p': /* remoteport */
next = &cli_opts.remoteport;
break;
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
case 'i': /* an identityfile */
opt = OPT_AUTHKEY;
break;
@@ -236,7 +236,7 @@
case 'o':
opt = OPT_EXTENDED_OPTIONS;
break;
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
case 'L':
opt = OPT_LOCALTCPFWD;
break;
@@ -244,17 +244,17 @@
opts.listen_fwd_all = 1;
break;
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
case 'R':
opt = OPT_REMOTETCPFWD;
break;
#endif
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
case 'B':
opt = OPT_NETCAT;
break;
#endif
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
case 'J':
next = &cli_opts.proxycmd;
break;
@@ -278,12 +278,12 @@
case 'I':
next = &idle_timeout_arg;
break;
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
case 'A':
cli_opts.agent_fwd = 1;
break;
#endif
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
case 'c':
next = &opts.cipher_list;
break;
@@ -291,22 +291,22 @@
next = &opts.mac_list;
break;
#endif
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
case 'v':
debug_trace = 1;
break;
#endif
case 'F':
case 'e':
-#ifndef ENABLE_USER_ALGO_LIST
+#if !DROPBEAR_USER_ALGO_LIST
case 'c':
case 'm':
#endif
case 'D':
-#ifndef ENABLE_CLI_REMOTETCPFWD
+#ifndef DROPBEAR_CLI_REMOTETCPFWD
case 'R':
#endif
-#ifndef ENABLE_CLI_LOCALTCPFWD
+#ifndef DROPBEAR_CLI_LOCALTCPFWD
case 'L':
#endif
case 'V':
@@ -338,28 +338,28 @@
add_extendedopt(&argv[i][j]);
}
else
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
if (opt == OPT_AUTHKEY) {
TRACE(("opt authkey"))
loadidentityfile(&argv[i][j], 1);
}
else
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
if (opt == OPT_REMOTETCPFWD) {
TRACE(("opt remotetcpfwd"))
addforward(&argv[i][j], cli_opts.remotefwds);
}
else
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
if (opt == OPT_LOCALTCPFWD) {
TRACE(("opt localtcpfwd"))
addforward(&argv[i][j], cli_opts.localfwds);
}
else
#endif
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
if (opt == OPT_NETCAT) {
TRACE(("opt netcat"))
add_netcat(&argv[i][j]);
@@ -405,11 +405,11 @@
/* And now a few sanity checks and setup */
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
parse_ciphers_macs();
#endif
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
if (cli_opts.proxycmd) {
/* To match the common path of m_freeing it */
cli_opts.proxycmd = m_strdup(cli_opts.proxycmd);
@@ -457,13 +457,13 @@
opts.idle_timeout_secs = val;
}
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
if (cli_opts.cmd && cli_opts.netcat_host) {
dropbear_log(LOG_INFO, "Ignoring command '%s' in netcat mode", cli_opts.cmd);
}
#endif
-#if defined(DROPBEAR_DEFAULT_CLI_AUTHKEY) && defined(ENABLE_CLI_PUBKEY_AUTH)
+#if (DROPBEAR_CLI_PUBKEY_AUTH)
{
char *expand_path = expand_homedir_path(DROPBEAR_DEFAULT_CLI_AUTHKEY);
loadidentityfile(expand_path, 0);
@@ -474,14 +474,14 @@
/* The hostname gets set up last, since
* in multi-hop mode it will require knowledge
* of other flags such as -i */
-#ifdef ENABLE_CLI_MULTIHOP
+#if DROPBEAR_CLI_MULTIHOP
parse_multihop_hostname(host_arg, argv[0]);
#else
parse_hostname(host_arg);
#endif
}
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
static void loadidentityfile(const char* filename, int warnfail) {
sign_key *key;
enum signkey_type keytype;
@@ -504,7 +504,7 @@
}
#endif
-#ifdef ENABLE_CLI_MULTIHOP
+#if DROPBEAR_CLI_MULTIHOP
static char*
multihop_passthrough_args() {
@@ -514,13 +514,13 @@
m_list_elem *iter;
/* Fill out -i, -y, -W options that make sense for all
* the intermediate processes */
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
{
sign_key * key = (sign_key*)iter->item;
len += 3 + strlen(key->filename);
}
-#endif /* ENABLE_CLI_PUBKEY_AUTH */
+#endif /* DROPBEAR_CLI_PUBKEY_AUTH */
len += 30; /* space for -W <size>, terminator. */
ret = m_malloc(len);
@@ -543,7 +543,7 @@
total += written;
}
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
{
sign_key * key = (sign_key*)iter->item;
@@ -552,7 +552,7 @@
dropbear_assert((unsigned int)written < size);
total += written;
}
-#endif /* ENABLE_CLI_PUBKEY_AUTH */
+#endif /* DROPBEAR_CLI_PUBKEY_AUTH */
/* if args were passed, total will be not zero, and it will have a space at the end, so remove that */
if (total > 0)
@@ -636,7 +636,7 @@
}
m_free(hostbuf);
}
-#endif /* !ENABLE_CLI_MULTIHOP */
+#endif /* !DROPBEAR_CLI_MULTIHOP */
/* Parses a [user@]hostname[/port] argument. */
static void parse_hostname(const char* orighostarg) {
@@ -675,7 +675,7 @@
}
}
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
static void add_netcat(const char* origstr) {
char *portstr = NULL;
@@ -728,7 +728,7 @@
}
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
/* Turn a "[listenaddr:]listenport:remoteaddr:remoteport" string into into a forwarding
* set, and add it to the forwarding list */
static void addforward(const char* origstr, m_list *fwdlist) {
@@ -870,7 +870,7 @@
if (strcmp(origstr, "help") == 0) {
dropbear_log(LOG_INFO, "Available options:\n"
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
"\tExitOnForwardFailure\n"
#endif
#ifndef DISABLE_SYSLOG
@@ -880,7 +880,7 @@
exit(EXIT_SUCCESS);
}
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
if (match_extendedopt(&optstr, "ExitOnForwardFailure") == DROPBEAR_SUCCESS) {
cli_opts.exit_on_fwd_failure = parse_flag_value(optstr);
return;
diff --git a/cli-session.c b/cli-session.c
index 15a2188..d89416f 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -73,7 +73,7 @@
{SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli},
{SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
{SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
{SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
#else
@@ -85,10 +85,10 @@
};
static const struct ChanType *cli_chantypes[] = {
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
&cli_chan_tcpremote,
#endif
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
&cli_chan_agent,
#endif
NULL /* Null termination */
@@ -133,7 +133,7 @@
}
-#ifdef USE_KEX_FIRST_FOLLOWS
+#if DROPBEAR_KEX_FIRST_FOLLOWS
static void cli_send_kex_first_guess() {
send_msg_kexdh_init();
}
@@ -165,7 +165,7 @@
cli_ses.lastprivkey = NULL;
cli_ses.lastauthtype = 0;
-#ifdef DROPBEAR_NONE_CIPHER
+#if DROPBEAR_NONE_CIPHER
cli_ses.cipher_none_after_auth = get_algo_usable(sshciphers, "none");
set_algo_usable(sshciphers, "none", 0);
#else
@@ -182,7 +182,7 @@
ses.isserver = 0;
-#ifdef USE_KEX_FIRST_FOLLOWS
+#if DROPBEAR_KEX_FIRST_FOLLOWS
ses.send_kex_first_guess = cli_send_kex_first_guess;
#endif
@@ -275,7 +275,7 @@
}
#endif
-#ifdef DROPBEAR_NONE_CIPHER
+#if DROPBEAR_NONE_CIPHER
if (cli_ses.cipher_none_after_auth)
{
set_algo_usable(sshciphers, "none", 1);
@@ -299,7 +299,7 @@
}
}
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
if (cli_opts.netcat_host) {
cli_send_netcat_request();
} else
@@ -308,10 +308,10 @@
cli_send_chansess_request();
}
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
setup_localtcp();
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
setup_remotetcp();
#endif
diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c
index 03b4b92..95b2d7c 100644
--- a/cli-tcpfwd.c
+++ b/cli-tcpfwd.c
@@ -32,7 +32,7 @@
#include "ssh.h"
#include "netio.h"
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
static int newtcpforwarded(struct Channel * channel);
const struct ChanType cli_chan_tcpremote = {
@@ -45,7 +45,7 @@
};
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
static int cli_localtcp(const char* listenaddr,
unsigned int listenport,
const char* remoteaddr,
@@ -60,7 +60,7 @@
};
#endif
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
static void fwd_failed(const char* format, ...) ATTRIB_PRINTF(1,2);
static void fwd_failed(const char* format, ...)
{
@@ -77,7 +77,7 @@
}
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
void setup_localtcp() {
m_list_elem *iter;
int ret;
@@ -144,9 +144,9 @@
TRACE(("leave cli_localtcp: %d", ret))
return ret;
}
-#endif /* ENABLE_CLI_LOCALTCPFWD */
+#endif /* DROPBEAR_CLI_LOCALTCPFWD */
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
static void send_msg_global_request_remotetcp(const char *addr, int port) {
TRACE(("enter send_msg_global_request_remotetcp"))
@@ -285,4 +285,4 @@
TRACE(("leave newtcpdirect: err %d", err))
return err;
}
-#endif /* ENABLE_CLI_REMOTETCPFWD */
+#endif /* DROPBEAR_CLI_REMOTETCPFWD */
diff --git a/common-algo.c b/common-algo.c
index 10d60c9..f783816 100644
--- a/common-algo.c
+++ b/common-algo.c
@@ -53,27 +53,27 @@
/* Remember to add new ciphers/hashes to regciphers/reghashes too */
-#ifdef DROPBEAR_AES256
+#if DROPBEAR_AES256
static const struct dropbear_cipher dropbear_aes256 =
{&aes_desc, 32, 16};
#endif
-#ifdef DROPBEAR_AES128
+#if DROPBEAR_AES128
static const struct dropbear_cipher dropbear_aes128 =
{&aes_desc, 16, 16};
#endif
-#ifdef DROPBEAR_BLOWFISH
+#if DROPBEAR_BLOWFISH
static const struct dropbear_cipher dropbear_blowfish =
{&blowfish_desc, 16, 8};
#endif
-#ifdef DROPBEAR_TWOFISH256
+#if DROPBEAR_TWOFISH256
static const struct dropbear_cipher dropbear_twofish256 =
{&twofish_desc, 32, 16};
#endif
-#ifdef DROPBEAR_TWOFISH128
+#if DROPBEAR_TWOFISH128
static const struct dropbear_cipher dropbear_twofish128 =
{&twofish_desc, 16, 16};
#endif
-#ifdef DROPBEAR_3DES
+#if DROPBEAR_3DES
static const struct dropbear_cipher dropbear_3des =
{&des3_desc, 24, 8};
#endif
@@ -84,7 +84,7 @@
/* A few void* s are required to silence warnings
* about the symmetric_CBC vs symmetric_CTR cipher_state pointer */
-#ifdef DROPBEAR_ENABLE_CBC_MODE
+#if DROPBEAR_ENABLE_CBC_MODE
const struct dropbear_cipher_mode dropbear_mode_cbc =
{(void*)cbc_start, (void*)cbc_encrypt, (void*)cbc_decrypt};
#endif /* DROPBEAR_ENABLE_CBC_MODE */
@@ -92,7 +92,7 @@
const struct dropbear_cipher_mode dropbear_mode_none =
{void_start, void_cipher, void_cipher};
-#ifdef DROPBEAR_ENABLE_CTR_MODE
+#if DROPBEAR_ENABLE_CTR_MODE
/* a wrapper to make ctr_start and cbc_start look the same */
static int dropbear_big_endian_ctr_start(int cipher,
const unsigned char *IV,
@@ -107,23 +107,23 @@
/* Mapping of ssh hashes to libtomcrypt hashes, including keysize etc.
{&hash_desc, keysize, hashsize} */
-#ifdef DROPBEAR_SHA1_HMAC
+#if DROPBEAR_SHA1_HMAC
static const struct dropbear_hash dropbear_sha1 =
{&sha1_desc, 20, 20};
#endif
-#ifdef DROPBEAR_SHA1_96_HMAC
+#if DROPBEAR_SHA1_96_HMAC
static const struct dropbear_hash dropbear_sha1_96 =
{&sha1_desc, 20, 12};
#endif
-#ifdef DROPBEAR_SHA2_256_HMAC
+#if DROPBEAR_SHA2_256_HMAC
static const struct dropbear_hash dropbear_sha2_256 =
{&sha256_desc, 32, 32};
#endif
-#ifdef DROPBEAR_SHA2_512_HMAC
+#if DROPBEAR_SHA2_512_HMAC
static const struct dropbear_hash dropbear_sha2_512 =
{&sha512_desc, 64, 64};
#endif
-#ifdef DROPBEAR_MD5_HMAC
+#if DROPBEAR_MD5_HMAC
static const struct dropbear_hash dropbear_md5 =
{&md5_desc, 16, 16};
#endif
@@ -137,73 +137,70 @@
* that is also supported by the server will get used. */
algo_type sshciphers[] = {
-#ifdef DROPBEAR_ENABLE_CTR_MODE
-#ifdef DROPBEAR_AES128
+#if DROPBEAR_ENABLE_CTR_MODE
+#if DROPBEAR_AES128
{"aes128-ctr", 0, &dropbear_aes128, 1, &dropbear_mode_ctr},
#endif
-#ifdef DROPBEAR_AES256
+#if DROPBEAR_AES256
{"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr},
#endif
-#ifdef DROPBEAR_TWOFISH_CTR
+#if DROPBEAR_TWOFISH_CTR
/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */
-#ifdef DROPBEAR_TWOFISH256
+#if DROPBEAR_TWOFISH256
{"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr},
#endif
-#ifdef DROPBEAR_TWOFISH128
+#if DROPBEAR_TWOFISH128
{"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr},
#endif
#endif /* DROPBEAR_TWOFISH_CTR */
#endif /* DROPBEAR_ENABLE_CTR_MODE */
-#ifdef DROPBEAR_ENABLE_CBC_MODE
-#ifdef DROPBEAR_AES128
+#if DROPBEAR_ENABLE_CBC_MODE
+#if DROPBEAR_AES128
{"aes128-cbc", 0, &dropbear_aes128, 1, &dropbear_mode_cbc},
#endif
-#ifdef DROPBEAR_AES256
+#if DROPBEAR_AES256
{"aes256-cbc", 0, &dropbear_aes256, 1, &dropbear_mode_cbc},
#endif
-#ifdef DROPBEAR_TWOFISH256
+#if DROPBEAR_TWOFISH256
{"twofish256-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
{"twofish-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
#endif
-#ifdef DROPBEAR_TWOFISH128
+#if DROPBEAR_TWOFISH128
{"twofish128-cbc", 0, &dropbear_twofish128, 1, &dropbear_mode_cbc},
#endif
-#ifdef DROPBEAR_3DES
+#if DROPBEAR_3DES
{"3des-ctr", 0, &dropbear_3des, 1, &dropbear_mode_ctr},
#endif
-#ifdef DROPBEAR_3DES
+#if DROPBEAR_3DES
{"3des-cbc", 0, &dropbear_3des, 1, &dropbear_mode_cbc},
#endif
-#ifdef DROPBEAR_BLOWFISH
+#if DROPBEAR_BLOWFISH
{"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc},
#endif
#endif /* DROPBEAR_ENABLE_CBC_MODE */
-#ifdef DROPBEAR_NONE_CIPHER
+#if DROPBEAR_NONE_CIPHER
{"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none},
#endif
{NULL, 0, NULL, 0, NULL}
};
algo_type sshhashes[] = {
-#ifdef DROPBEAR_SHA1_96_HMAC
+#if DROPBEAR_SHA1_96_HMAC
{"hmac-sha1-96", 0, &dropbear_sha1_96, 1, NULL},
#endif
-#ifdef DROPBEAR_SHA1_HMAC
+#if DROPBEAR_SHA1_HMAC
{"hmac-sha1", 0, &dropbear_sha1, 1, NULL},
#endif
-#ifdef DROPBEAR_SHA2_256_HMAC
+#if DROPBEAR_SHA2_256_HMAC
{"hmac-sha2-256", 0, &dropbear_sha2_256, 1, NULL},
#endif
-#ifdef DROPBEAR_SHA2_512_HMAC
+#if DROPBEAR_SHA2_512_HMAC
{"hmac-sha2-512", 0, &dropbear_sha2_512, 1, NULL},
#endif
-#ifdef DROPBEAR_MD5_HMAC
+#if DROPBEAR_MD5_HMAC
{"hmac-md5", 0, (void*)&dropbear_md5, 1, NULL},
#endif
-#ifdef DROPBEAR_NONE_INTEGRITY
- {"none", 0, (void*)&dropbear_nohash, 1, NULL},
-#endif
{NULL, 0, NULL, 0, NULL}
};
@@ -228,21 +225,21 @@
};
algo_type sshhostkey[] = {
-#ifdef DROPBEAR_ECDSA
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDSA
+#if DROPBEAR_ECC_256
{"ecdsa-sha2-nistp256", DROPBEAR_SIGNKEY_ECDSA_NISTP256, NULL, 1, NULL},
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
{"ecdsa-sha2-nistp384", DROPBEAR_SIGNKEY_ECDSA_NISTP384, NULL, 1, NULL},
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
{"ecdsa-sha2-nistp521", DROPBEAR_SIGNKEY_ECDSA_NISTP521, NULL, 1, NULL},
#endif
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
{"ssh-rsa", DROPBEAR_SIGNKEY_RSA, NULL, 1, NULL},
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
{"ssh-dss", DROPBEAR_SIGNKEY_DSS, NULL, 1, NULL},
#endif
{NULL, 0, NULL, 0, NULL}
@@ -251,11 +248,11 @@
#if DROPBEAR_DH_GROUP1
static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
#endif
-#if DROPBEAR_DH_GROUP14
+#if DROPBEAR_DH_GROUP14_SHA1
static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
-#if DROPBEAR_DH_GROUP14_256
-static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
#endif
+#if DROPBEAR_DH_GROUP14_SHA256
+static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
#endif
#if DROPBEAR_DH_GROUP16
static const struct dropbear_kex kex_dh_group16_sha512 = {DROPBEAR_KEX_NORMAL_DH, dh_p_16, DH_P_16_LEN, NULL, &sha512_desc };
@@ -263,51 +260,51 @@
/* These can't be const since dropbear_ecc_fill_dp() fills out
ecc_curve at runtime */
-#ifdef DROPBEAR_ECDH
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDH
+#if DROPBEAR_ECC_256
static const struct dropbear_kex kex_ecdh_nistp256 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp256, &sha256_desc };
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
static const struct dropbear_kex kex_ecdh_nistp384 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp384, &sha384_desc };
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
static const struct dropbear_kex kex_ecdh_nistp521 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp521, &sha512_desc };
#endif
#endif /* DROPBEAR_ECDH */
-#ifdef DROPBEAR_CURVE25519
+#if DROPBEAR_CURVE25519
/* Referred to directly */
static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
#endif
algo_type sshkex[] = {
-#ifdef DROPBEAR_CURVE25519
+#if DROPBEAR_CURVE25519
{"curve25519-sha256@libssh.org", 0, &kex_curve25519, 1, NULL},
#endif
-#ifdef DROPBEAR_ECDH
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECDH
+#if DROPBEAR_ECC_521
{"ecdh-sha2-nistp521", 0, &kex_ecdh_nistp521, 1, NULL},
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
{"ecdh-sha2-nistp384", 0, &kex_ecdh_nistp384, 1, NULL},
#endif
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
{"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
#endif
#endif
-#if DROPBEAR_DH_GROUP14
-#if DROPBEAR_DH_GROUP14_256
- {"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
-#endif
+#if DROPBEAR_DH_GROUP14_SHA1
{"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL},
#endif
+#if DROPBEAR_DH_GROUP14_SHA256
+ {"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
+#endif
#if DROPBEAR_DH_GROUP1
{"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
#endif
#if DROPBEAR_DH_GROUP16
{"diffie-hellman-group16-sha512", 0, &kex_dh_group16_sha512, 1, NULL},
#endif
-#ifdef USE_KEXGUESS2
+#if DROPBEAR_KEXGUESS2
{KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL},
#endif
{NULL, 0, NULL, 0, NULL}
@@ -349,6 +346,7 @@
}
}
buf_putstring(buf, (const char*)algolist->data, algolist->len);
+ TRACE(("algolist add '%*s'", algolist->len, algolist->data))
buf_free(algolist);
}
@@ -468,7 +466,7 @@
return ret;
}
-#ifdef DROPBEAR_NONE_CIPHER
+#if DROPBEAR_NONE_CIPHER
void
set_algo_usable(algo_type algos[], const char * algo_name, int usable)
@@ -500,7 +498,7 @@
#endif /* DROPBEAR_NONE_CIPHER */
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
char *
algolist_string(algo_type algos[])
@@ -531,21 +529,6 @@
return NULL;
}
-static void
-try_add_algo(const char *algo_name, algo_type *algos,
- const char *algo_desc, algo_type * new_algos, int *num_ret)
-{
- algo_type *match_algo = check_algo(algo_name, algos);
- if (!match_algo)
- {
- dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", algo_name, algo_desc);
- return;
- }
-
- new_algos[*num_ret] = *match_algo;
- (*num_ret)++;
-}
-
/* Checks a user provided comma-separated algorithm list for available
* options. Any that are not acceptable are removed in-place. Returns the
* number of valid algorithms. */
@@ -553,30 +536,43 @@
check_user_algos(const char* user_algo_list, algo_type * algos,
const char *algo_desc)
{
- algo_type new_algos[MAX_PROPOSED_ALGO];
- /* this has two passes. first we sweep through the given list of
- * algorithms and mark them as usable=2 in the algo_type[] array... */
- int num_ret = 0;
+ algo_type new_algos[MAX_PROPOSED_ALGO+1];
char *work_list = m_strdup(user_algo_list);
- char *last_name = work_list;
+ char *start = work_list;
char *c;
- for (c = work_list; *c; c++)
+ int n;
+ /* So we can iterate and look for null terminator */
+ memset(new_algos, 0x0, sizeof(new_algos));
+ for (c = work_list, n = 0; ; c++)
{
- if (*c == ',')
- {
+ char oc = *c;
+ if (n >= MAX_PROPOSED_ALGO) {
+ dropbear_exit("Too many algorithms '%s'", user_algo_list);
+ }
+ if (*c == ',' || *c == '\0') {
+ algo_type *match_algo = NULL;
*c = '\0';
- try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
+ match_algo = check_algo(start, algos);
+ if (match_algo) {
+ if (check_algo(start, new_algos)) {
+ TRACE(("Skip repeated algorithm '%s'", start))
+ } else {
+ new_algos[n] = *match_algo;
+ n++;
+ }
+ } else {
+ dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", start, algo_desc);
+ }
c++;
- last_name = c;
+ start = c;
+ }
+ if (oc == '\0') {
+ break;
}
}
- try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
m_free(work_list);
-
- new_algos[num_ret].name = NULL;
-
- /* Copy one more as a blank delimiter */
- memcpy(algos, new_algos, sizeof(*new_algos) * (num_ret+1));
- return num_ret;
+ /* n+1 to include a null terminator */
+ memcpy(algos, new_algos, sizeof(*new_algos) * (n+1));
+ return n;
}
-#endif /* ENABLE_USER_ALGO_LIST */
+#endif /* DROPBEAR_USER_ALGO_LIST */
diff --git a/common-channel.c b/common-channel.c
index 40353c2..835e493 100644
--- a/common-channel.c
+++ b/common-channel.c
@@ -78,7 +78,7 @@
ses.chantypes = chantypes;
-#ifdef USING_LISTENERS
+#if DROPBEAR_LISTENERS
listeners_initialise();
#endif
@@ -255,7 +255,7 @@
}
}
-#ifdef USING_LISTENERS
+#if DROPBEAR_LISTENERS
handle_listeners(readfds);
#endif
}
@@ -595,7 +595,7 @@
} /* foreach channel */
-#ifdef USING_LISTENERS
+#if DROPBEAR_LISTENERS
set_listener_fds(readfds);
#endif
@@ -1114,7 +1114,7 @@
}
-#if defined(USING_LISTENERS) || defined(DROPBEAR_CLIENT)
+#if (DROPBEAR_LISTENERS) || (DROPBEAR_CLIENT)
/* Create a new channel, and start the open request. This is intended
* for X11, agent, tcp forwarding, and should be filled with channel-specific
* options, with the calling function calling encrypt_packet() after
@@ -1210,7 +1210,7 @@
remove_channel(channel);
}
-#endif /* USING_LISTENERS */
+#endif /* DROPBEAR_LISTENERS */
void send_msg_request_success() {
CHECKCLEARTOWRITE();
diff --git a/common-kex.c b/common-kex.c
index 5003d2f..072b6fb 100644
--- a/common-kex.c
+++ b/common-kex.c
@@ -640,7 +640,7 @@
finish_kexhashbuf();
}
-#ifdef DROPBEAR_ECDH
+#if DROPBEAR_ECDH
struct kex_ecdh_param *gen_kexecdh_param() {
struct kex_ecdh_param *param = m_malloc(sizeof(*param));
if (ecc_make_key_ex(NULL, dropbear_ltc_prng,
@@ -692,7 +692,7 @@
}
#endif /* DROPBEAR_ECDH */
-#ifdef DROPBEAR_CURVE25519
+#if DROPBEAR_CURVE25519
struct kex_curve25519_param *gen_kexcurve25519_param () {
/* Per http://cr.yp.to/ecdh.html */
struct kex_curve25519_param *param = m_malloc(sizeof(*param));
@@ -774,7 +774,7 @@
hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize));
buf_setlen(ses.hash, hash_desc->hashsize);
-#if defined(DEBUG_KEXHASH) && defined(DEBUG_TRACE)
+#if (DEBUG_KEXHASH) && (DEBUG_TRACE)
if (!debug_trace) {
printhex("kexhashbuf", ses.kexhashbuf->data, ses.kexhashbuf->len);
printhex("kexhash", ses.hash->data, ses.hash->len);
@@ -814,7 +814,7 @@
int allgood = 1; /* we AND this with each goodguess and see if its still
true after */
-#ifdef USE_KEXGUESS2
+#if DROPBEAR_KEXGUESS2
enum kexguess2_used kexguess2 = KEXGUESS2_LOOK;
#else
enum kexguess2_used kexguess2 = KEXGUESS2_NO;
diff --git a/common-runopts.c b/common-runopts.c
index 4c07e1f..62b9471 100644
--- a/common-runopts.c
+++ b/common-runopts.c
@@ -62,7 +62,7 @@
return ret;
}
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
void
parse_ciphers_macs()
{
diff --git a/common-session.c b/common-session.c
index 20b6ba3..99a5470 100644
--- a/common-session.c
+++ b/common-session.c
@@ -54,7 +54,7 @@
void common_session_init(int sock_in, int sock_out) {
time_t now;
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
debug_start_net();
#endif
@@ -295,7 +295,7 @@
}
/* After these are freed most functions will fail */
-#ifdef DROPBEAR_CLEANUP
+#if DROPBEAR_CLEANUP
/* listeners call cleanup functions, this should occur before
other session state is freed. */
remove_all_listeners();
@@ -361,7 +361,7 @@
}
if (!done) {
- TRACE(("err: %s for '%s'\n", strerror(errno), linebuf))
+ TRACE(("error reading remote ident: %s\n", strerror(errno)))
ses.remoteclosed();
} else {
/* linebuf is already null terminated */
@@ -550,10 +550,12 @@
static long select_timeout() {
/* determine the minimum timeout that might be required, so
as to avoid waking when unneccessary */
- long timeout = LONG_MAX;
+ long timeout = KEX_REKEY_TIMEOUT;
long now = monotonic_now();
- update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout);
+ if (!ses.kexstate.sentkexinit) {
+ update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout);
+ }
if (ses.authstate.authdone != 1 && IS_DROPBEAR_SERVER) {
/* AUTH_TIMEOUT is only relevant before authdone */
diff --git a/crypto_desc.c b/crypto_desc.c
index ed4de30..0f946fc 100644
--- a/crypto_desc.c
+++ b/crypto_desc.c
@@ -4,7 +4,7 @@
#include "ltc_prng.h"
#include "ecc.h"
-#ifdef DROPBEAR_LTC_PRNG
+#if DROPBEAR_LTC_PRNG
int dropbear_ltc_prng = -1;
#endif
@@ -14,16 +14,16 @@
void crypto_init() {
const struct ltc_cipher_descriptor *regciphers[] = {
-#ifdef DROPBEAR_AES
+#if DROPBEAR_AES
&aes_desc,
#endif
-#ifdef DROPBEAR_BLOWFISH
+#if DROPBEAR_BLOWFISH
&blowfish_desc,
#endif
-#ifdef DROPBEAR_TWOFISH
+#if DROPBEAR_TWOFISH
&twofish_desc,
#endif
-#ifdef DROPBEAR_3DES
+#if DROPBEAR_3DES
&des3_desc,
#endif
NULL
@@ -32,16 +32,16 @@
const struct ltc_hash_descriptor *reghashes[] = {
/* we need sha1 for hostkey stuff regardless */
&sha1_desc,
-#ifdef DROPBEAR_MD5_HMAC
+#if DROPBEAR_MD5_HMAC
&md5_desc,
#endif
-#ifdef DROPBEAR_SHA256
+#if DROPBEAR_SHA256
&sha256_desc,
#endif
-#ifdef DROPBEAR_SHA384
+#if DROPBEAR_SHA384
&sha384_desc,
#endif
-#ifdef DROPBEAR_SHA512
+#if DROPBEAR_SHA512
&sha512_desc,
#endif
NULL
@@ -60,14 +60,14 @@
}
}
-#ifdef DROPBEAR_LTC_PRNG
+#if DROPBEAR_LTC_PRNG
dropbear_ltc_prng = register_prng(&dropbear_prng_desc);
if (dropbear_ltc_prng == -1) {
dropbear_exit("Error registering crypto");
}
#endif
-#ifdef DROPBEAR_ECC
+#if DROPBEAR_ECC
ltc_mp = ltm_desc;
dropbear_ecc_fill_dp();
#endif
diff --git a/dbrandom.c b/dbrandom.c
index 239b044..eb747da 100644
--- a/dbrandom.c
+++ b/dbrandom.c
@@ -59,7 +59,7 @@
unsigned int readcount;
int ret = DROPBEAR_FAILURE;
-#ifdef DROPBEAR_PRNGD_SOCKET
+#if DROPBEAR_PRNGD_SOCKET
if (prngd)
{
readfd = connect_unix(filename);
@@ -107,7 +107,7 @@
wantread = MIN(sizeof(readbuf), len-readcount);
}
-#ifdef DROPBEAR_PRNGD_SOCKET
+#if DROPBEAR_PRNGD_SOCKET
if (prngd)
{
char egdcmd[2];
@@ -185,7 +185,7 @@
/* existing state */
sha1_process(&hs, (void*)hashpool, sizeof(hashpool));
-#ifdef DROPBEAR_PRNGD_SOCKET
+#if DROPBEAR_PRNGD_SOCKET
if (process_file(&hs, DROPBEAR_PRNGD_SOCKET, INIT_SEED_SIZE, 1)
!= DROPBEAR_SUCCESS) {
dropbear_exit("Failure reading random device %s",
diff --git a/dbutil.c b/dbutil.c
index ef06802..ab189d2 100644
--- a/dbutil.c
+++ b/dbutil.c
@@ -79,7 +79,7 @@
void (*_dropbear_log)(int priority, const char* format, va_list param)
= generic_dropbear_log;
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
int debug_trace = 0;
#endif
@@ -149,7 +149,7 @@
}
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
static double debug_start_time = -1;
@@ -182,7 +182,7 @@
void dropbear_trace(const char* format, ...) {
va_list param;
- if (!debug_trace) {
+ if (!ses.debug_trace) {
return;
}
@@ -262,7 +262,7 @@
return DROPBEAR_FAILURE;
}
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
pid = vfork();
#else
pid = fork();
@@ -371,7 +371,7 @@
execv(usershell, argv);
}
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
void printhex(const char * label, const unsigned char * buf, int len) {
int i;
@@ -465,7 +465,7 @@
* authkeys file.
* Will return DROPBEAR_SUCCESS if data is read, or DROPBEAR_FAILURE on EOF.*/
/* Only used for ~/.ssh/known_hosts and ~/.ssh/authorized_keys */
-#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
+#if DROPBEAR_CLIENT || DROPBEAR_SVR_PUBKEY_AUTH
int buf_getline(buffer * line, FILE * authfile) {
int c = EOF;
diff --git a/dbutil.h b/dbutil.h
index 8d589ed..9bcc875 100644
--- a/dbutil.h
+++ b/dbutil.h
@@ -45,7 +45,7 @@
void fail_assert(const char* expr, const char* file, int line) ATTRIB_NORETURN;
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
void dropbear_trace(const char* format, ...) ATTRIB_PRINTF(1,2);
void dropbear_trace2(const char* format, ...) ATTRIB_PRINTF(1,2);
void printhex(const char * label, const unsigned char * buf, int len);
diff --git a/debian/changelog b/debian/changelog
index 9669e2a..87edb50 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+dropbear (2016.74-0.1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Matt Johnston <matt@ucc.asn.au> Thu, 21 Jul 2016 22:51:57 +0800
+
dropbear (2016.73-0.1) unstable; urgency=low
* New upstream release.
diff --git a/debug.h b/debug.h
index cbfa7e9..93fbc1f 100644
--- a/debug.h
+++ b/debug.h
@@ -39,7 +39,9 @@
* Caution: Don't use this in an unfriendly environment (ie unfirewalled),
* since the printing may not sanitise strings etc. This will add a reasonable
* amount to your executable size. */
-/*#define DEBUG_TRACE*/
+#ifndef DEBUG_TRACE
+#define DEBUG_TRACE 0
+#endif
/* All functions writing to the cleartext payload buffer call
* CHECKCLEARTOWRITE() before writing. This is only really useful if you're
@@ -61,7 +63,7 @@
/*#define DEBUG_RSA*/
/* you don't need to touch this block */
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
#define TRACE(X) dropbear_trace X;
#define TRACE2(X) dropbear_trace2 X;
#else /*DEBUG_TRACE*/
diff --git a/default_options.h b/default_options.h
new file mode 100644
index 0000000..e59c338
--- /dev/null
+++ b/default_options.h
@@ -0,0 +1,458 @@
+#ifndef DROPBEAR_DEFAULT_OPTIONS_H_
+#define DROPBEAR_DEFAULT_OPTIONS_H_
+/*
+ > > > Read This < < <
+
+default_options.h.in (this file) documents compile-time options, and provides
+default values.
+
+Local customisation should be added to localoptions.h which is
+used if it exists. Options defined there will override any options in this
+file (#ifndef guards added by ifndef_wrapper.sh).
+
+Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
+
+IMPORTANT: Many options will require "make clean" after changes */
+
+#ifndef DROPBEAR_DEFPORT
+#define DROPBEAR_DEFPORT "22"
+#endif
+
+/* Listen on all interfaces */
+#ifndef DROPBEAR_DEFADDRESS
+#define DROPBEAR_DEFADDRESS ""
+#endif
+
+/* Default hostkey paths - these can be specified on the command line */
+#ifndef DSS_PRIV_FILENAME
+#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
+#endif
+#ifndef RSA_PRIV_FILENAME
+#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
+#endif
+#ifndef ECDSA_PRIV_FILENAME
+#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
+#endif
+
+/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
+ * on chosen ports and keeps accepting connections. This is the default.
+ *
+ * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
+ * similar), where it will use stdin/stdout for connections, and each process
+ * lasts for a single connection. Dropbear should be invoked with the -i flag
+ * for inetd, and can only accept IPv4 connections.
+ *
+ * Both of these flags can be defined at once, don't compile without at least
+ * one of them. */
+#ifndef NON_INETD_MODE
+#define NON_INETD_MODE 1
+#endif
+#ifndef INETD_MODE
+#define INETD_MODE 1
+#endif
+
+/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
+ * perhaps 20% slower for pubkey operations (it is probably worth experimenting
+ * if you want to use this) */
+/*#define NO_FAST_EXPTMOD*/
+
+/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
+several kB in binary size however will make the symmetrical ciphers and hashes
+slower, perhaps by 50%. Recommended for small systems that aren't doing
+much traffic. */
+#ifndef DROPBEAR_SMALL_CODE
+#define DROPBEAR_SMALL_CODE 1
+#endif
+
+/* Enable X11 Forwarding - server only */
+#ifndef DROPBEAR_X11FWD
+#define DROPBEAR_X11FWD 1
+#endif
+
+/* Enable TCP Fowarding */
+/* 'Local' is "-L" style (client listening port forwarded via server)
+ * 'Remote' is "-R" style (server listening port forwarded via client) */
+
+#ifndef DROPBEAR_CLI_LOCALTCPFWD
+#define DROPBEAR_CLI_LOCALTCPFWD 1
+#endif
+#ifndef DROPBEAR_CLI_REMOTETCPFWD
+#define DROPBEAR_CLI_REMOTETCPFWD 1
+#endif
+
+#ifndef DROPBEAR_SVR_LOCALTCPFWD
+#define DROPBEAR_SVR_LOCALTCPFWD 1
+#endif
+#ifndef DROPBEAR_SVR_REMOTETCPFWD
+#define DROPBEAR_SVR_REMOTETCPFWD 1
+#endif
+
+/* Enable Authentication Agent Forwarding */
+#ifndef DROPBEAR_SVR_AGENTFWD
+#define DROPBEAR_SVR_AGENTFWD 1
+#endif
+#ifndef DROPBEAR_CLI_AGENTFWD
+#define DROPBEAR_CLI_AGENTFWD 1
+#endif
+
+
+/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
+ * allow multihop dbclient connections */
+
+/* Allow using -J <proxycommand> to run the connection through a
+ pipe to a program, rather the normal TCP connection */
+#ifndef DROPBEAR_CLI_PROXYCMD
+#define DROPBEAR_CLI_PROXYCMD 1
+#endif
+
+/* Enable "Netcat mode" option. This will forward standard input/output
+ * to a remote TCP-forwarded connection */
+#ifndef DROPBEAR_CLI_NETCAT
+#define DROPBEAR_CLI_NETCAT 1
+#endif
+
+/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
+#ifndef ENABLE_USER_ALGO_LIST
+#define ENABLE_USER_ALGO_LIST 1
+#endif
+
+/* Encryption - at least one required.
+ * Protocol RFC requires 3DES and recommends AES128 for interoperability.
+ * Including multiple keysize variants the same cipher
+ * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+#ifndef DROPBEAR_AES128
+#define DROPBEAR_AES128 1
+#endif
+#ifndef DROPBEAR_3DES
+#define DROPBEAR_3DES 1
+#endif
+#ifndef DROPBEAR_AES256
+#define DROPBEAR_AES256 1
+#endif
+/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+/*#define DROPBEAR_BLOWFISH*/
+#ifndef DROPBEAR_TWOFISH256
+#define DROPBEAR_TWOFISH256 1
+#endif
+#ifndef DROPBEAR_TWOFISH128
+#define DROPBEAR_TWOFISH128 1
+#endif
+
+/* Enable CBC mode for ciphers. This has security issues though
+ * is the most compatible with older SSH implementations */
+#ifndef DROPBEAR_ENABLE_CBC_MODE
+#define DROPBEAR_ENABLE_CBC_MODE 1
+#endif
+
+/* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. It is recommended for security
+ * and forwards compatibility */
+#ifndef DROPBEAR_ENABLE_CTR_MODE
+#define DROPBEAR_ENABLE_CTR_MODE 1
+#endif
+
+/* Twofish counter mode is disabled by default because it
+has not been tested for interoperability with other SSH implementations.
+If you test it please contact the Dropbear author */
+#ifndef DROPBEAR_TWOFISH_CTR
+#define DROPBEAR_TWOFISH_CTR 0
+#endif
+
+/* Message integrity. sha2-256 is recommended as a default,
+ sha1 for compatibility */
+#ifndef DROPBEAR_SHA1_HMAC
+#define DROPBEAR_SHA1_HMAC 1
+#endif
+#ifndef DROPBEAR_SHA1_96_HMAC
+#define DROPBEAR_SHA1_96_HMAC 1
+#endif
+#ifndef DROPBEAR_SHA2_256_HMAC
+#define DROPBEAR_SHA2_256_HMAC 1
+#endif
+/* Default is to include it is sha512 is being compiled in for ECDSA */
+#ifndef DROPBEAR_SHA2_512_HMAC
+#define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
+#endif
+
+/* XXX needed for fingerprints */
+#ifndef DROPBEAR_MD5_HMAC
+#define DROPBEAR_MD5_HMAC 0
+#endif
+
+/* Hostkey/public key algorithms - at least one required, these are used
+ * for hostkey as well as for verifying signatures with pubkey auth.
+ * Removing either of these won't save very much space.
+ * RSA is recommended
+ * DSS may be necessary to connect to some systems though
+ is not recommended for new keys */
+#ifndef DROPBEAR_RSA
+#define DROPBEAR_RSA 1
+#endif
+#ifndef DROPBEAR_DSS
+#define DROPBEAR_DSS 1
+#endif
+/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
+#ifndef DROPBEAR_ECDSA
+#define DROPBEAR_ECDSA 1
+#endif
+
+/* Add runtime flag "-R" to generate hostkeys as-needed when the first
+ connection using that key type occurs.
+ This avoids the need to otherwise run "dropbearkey" and avoids some problems
+ with badly seeded /dev/urandom when systems first boot. */
+#ifndef DROPBEAR_DELAY_HOSTKEY
+#define DROPBEAR_DELAY_HOSTKEY 1
+#endif
+
+/* Enable Curve25519 for key exchange. This is another elliptic
+ * curve method with good security properties. Increases binary size
+ * by ~8kB on x86-64 */
+#ifndef DROPBEAR_CURVE25519
+#define DROPBEAR_CURVE25519 1
+#endif
+
+/* Enable elliptic curve Diffie Hellman key exchange, see note about
+ * ECDSA above */
+#ifndef DROPBEAR_ECDH
+#define DROPBEAR_ECDH 1
+#endif
+
+/* Key exchange algorithm.
+ * group14_sha1 - 2048 bit, sha1
+ * group14_sha256 - 2048 bit, sha2-256
+ * group16 - 4096 bit, sha2-512
+ * group1 - 1024 bit, sha1
+ *
+ * group14 is supported by most implementations.
+ * group16 provides a greater strength level but is slower and increases binary size
+ * group1 is too small for security though is necessary if you need
+ compatibility with some implementations such as Dropbear versions < 0.53
+ */
+#ifndef DROPBEAR_DH_GROUP1
+#define DROPBEAR_DH_GROUP1 1
+#endif
+#ifndef DROPBEAR_DH_GROUP14_SHA1
+#define DROPBEAR_DH_GROUP14_SHA1 1
+#endif
+#ifndef DROPBEAR_DH_GROUP14_SHA256
+#define DROPBEAR_DH_GROUP14_SHA256 1
+#endif
+#ifndef DROPBEAR_DH_GROUP16
+#define DROPBEAR_DH_GROUP16 0
+#endif
+
+/* Control the memory/performance/compression tradeoff for zlib.
+ * Set windowBits=8 for least memory usage, see your system's
+ * zlib.h for full details.
+ * Default settings (windowBits=15) will use 256kB for compression
+ * windowBits=8 will use 129kB for compression.
+ * Both modes will use ~35kB for decompression (using windowBits=15 for
+ * interoperability) */
+#ifndef DROPBEAR_ZLIB_WINDOW_BITS
+#define DROPBEAR_ZLIB_WINDOW_BITS 15
+#endif
+
+/* Whether to do reverse DNS lookups. */
+#ifndef DO_HOST_LOOKUP
+#define DO_HOST_LOOKUP 0
+#endif
+
+/* Whether to print the message of the day (MOTD). */
+#ifndef DO_MOTD
+#define DO_MOTD 0
+#endif
+
+/* The MOTD file path */
+#ifndef MOTD_FILENAME
+#define MOTD_FILENAME "/etc/motd"
+#endif
+
+/* Authentication Types - at least one required.
+ RFC Draft requires pubkey auth, and recommends password */
+
+/* Note: PAM auth is quite simple and only works for PAM modules which just do
+ * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
+ * It's useful for systems like OS X where standard password crypts don't work
+ * but there's an interface via a PAM module. It won't work for more complex
+ * PAM challenge/response.
+ * You can't enable both PASSWORD and PAM. */
+
+/* This requires crypt() */
+#ifdef HAVE_CRYPT
+#ifndef DROPBEAR_SVR_PASSWORD_AUTH
+#define DROPBEAR_SVR_PASSWORD_AUTH 1
+#endif
+#else
+#ifndef DROPBEAR_SVR_PASSWORD_AUTH
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
+#endif
+#endif
+/* PAM requires ./configure --enable-pam */
+#ifndef DROPBEAR_SVR_PAM_AUTH
+#define DROPBEAR_SVR_PAM_AUTH 0
+#endif
+#ifndef DROPBEAR_SVR_PUBKEY_AUTH
+#define DROPBEAR_SVR_PUBKEY_AUTH 1
+#endif
+
+/* Whether to take public key options in
+ * authorized_keys file into account */
+#ifndef DROPBEAR_SVR_PUBKEY_OPTIONS
+#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
+#endif
+
+/* This requires getpass. */
+#ifdef HAVE_GETPASS
+#ifndef DROPBEAR_CLI_PASSWORD_AUTH
+#define DROPBEAR_CLI_PASSWORD_AUTH 1
+#endif
+#ifndef DROPBEAR_CLI_INTERACT_AUTH
+#define DROPBEAR_CLI_INTERACT_AUTH 1
+#endif
+#endif
+#ifndef DROPBEAR_CLI_PUBKEY_AUTH
+#define DROPBEAR_CLI_PUBKEY_AUTH 1
+#endif
+
+/* A default argument for dbclient -i <privatekey>.
+Homedir is prepended unless path begins with / */
+#ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY
+#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
+#endif
+
+/* This variable can be used to set a password for client
+ * authentication on the commandline. Beware of platforms
+ * that don't protect environment variables of processes etc. Also
+ * note that it will be provided for all "hidden" client-interactive
+ * style prompts - if you want something more sophisticated, use
+ * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
+#ifndef DROPBEAR_PASSWORD_ENV
+#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
+#endif
+
+/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
+ * specified in the SSH_ASKPASS environment variable, and dbclient
+ * should be run with DISPLAY set and no tty. The program should
+ * return the password on standard output */
+#ifndef DROPBEAR_CLI_ASKPASS_HELPER
+#define DROPBEAR_CLI_ASKPASS_HELPER 0
+#endif
+
+/* Save a network roundtrip by sendng a real auth request immediately after
+ * sending a query for the available methods. It is at the expense of < 100
+ * bytes of extra network traffic. This is not yet enabled by default since it
+ * could cause problems with non-compliant servers */
+#ifndef DROPBEAR_CLI_IMMEDIATE_AUTH
+#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
+#endif
+
+/* Source for randomness. This must be able to provide hundreds of bytes per SSH
+ * connection without blocking. In addition /dev/random is used for seeding
+ * rsa/dss key generation */
+#ifndef DROPBEAR_URANDOM_DEV
+#define DROPBEAR_URANDOM_DEV "/dev/urandom"
+#endif
+
+/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
+/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
+
+
+/* Specify the number of clients we will allow to be connected but
+ * not yet authenticated. After this limit, connections are rejected */
+/* The first setting is per-IP, to avoid denial of service */
+#ifndef MAX_UNAUTH_PER_IP
+#define MAX_UNAUTH_PER_IP 5
+#endif
+
+/* And then a global limit to avoid chewing memory if connections
+ * come from many IPs */
+#ifndef MAX_UNAUTH_CLIENTS
+#define MAX_UNAUTH_CLIENTS 30
+#endif
+
+/* Maximum number of failed authentication tries (server option) */
+#ifndef MAX_AUTH_TRIES
+#define MAX_AUTH_TRIES 10
+#endif
+
+/* The default file to store the daemon's process ID, for shutdown
+ scripts etc. This can be overridden with the -P flag */
+#ifndef DROPBEAR_PIDFILE
+#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
+#endif
+
+/* The command to invoke for xauth when using X11 forwarding.
+ * "-q" for quiet */
+#ifndef XAUTH_COMMAND
+#define XAUTH_COMMAND "/usr/bin/xauth -q"
+#endif
+
+/* if you want to enable running an sftp server (such as the one included with
+ * OpenSSH), set the path below. If the path isn't defined, sftp will not
+ * be enabled */
+#ifndef SFTPSERVER_PATH
+#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
+#endif
+
+/* This is used by the scp binary when used as a client binary. If you're
+ * not using the Dropbear client, you'll need to change it */
+#ifndef DROPBEAR_PATH_SSH_PROGRAM
+#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
+#endif
+
+/* Whether to log commands executed by a client. This only logs the
+ * (single) command sent to the server, not what a user did in a
+ * shell/sftp session etc. */
+#ifndef LOG_COMMANDS
+#define LOG_COMMANDS 0
+#endif
+
+/* Window size limits. These tend to be a trade-off between memory
+ usage and network performance: */
+/* Size of the network receive window. This amount of memory is allocated
+ as a per-channel receive buffer. Increasing this value can make a
+ significant difference to network performance. 24kB was empirically
+ chosen for a 100mbit ethernet network. The value can be altered at
+ runtime with the -W argument. */
+#ifndef DEFAULT_RECV_WINDOW
+#define DEFAULT_RECV_WINDOW 24576
+#endif
+/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
+ in order to interoperate with other implementations */
+#ifndef RECV_MAX_PAYLOAD_LEN
+#define RECV_MAX_PAYLOAD_LEN 32768
+#endif
+/* Maximum size of a transmitted data packet - this can be any value,
+ though increasing it may not make a significant difference. */
+#ifndef TRANS_MAX_PAYLOAD_LEN
+#define TRANS_MAX_PAYLOAD_LEN 16384
+#endif
+
+/* Ensure that data is transmitted every KEEPALIVE seconds. This can
+be overridden at runtime with -K. 0 disables keepalives */
+#ifndef DEFAULT_KEEPALIVE
+#define DEFAULT_KEEPALIVE 0
+#endif
+
+/* If this many KEEPALIVES are sent with no packets received from the
+other side, exit. Not run-time configurable - if you have a need
+for runtime configuration please mail the Dropbear list */
+#ifndef DEFAULT_KEEPALIVE_LIMIT
+#define DEFAULT_KEEPALIVE_LIMIT 3
+#endif
+
+/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
+be overridden at runtime with -I. 0 disables idle timeouts */
+#ifndef DEFAULT_IDLE_TIMEOUT
+#define DEFAULT_IDLE_TIMEOUT 0
+#endif
+
+/* The default path. This will often get replaced by the shell */
+#ifndef DEFAULT_PATH
+#define DEFAULT_PATH "/usr/bin:/bin"
+#endif
+
+#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
diff --git a/default_options.h.in b/default_options.h.in
new file mode 100644
index 0000000..e81eaae
--- /dev/null
+++ b/default_options.h.in
@@ -0,0 +1,312 @@
+#ifndef DROPBEAR_DEFAULT_OPTIONS_H_
+#define DROPBEAR_DEFAULT_OPTIONS_H_
+/*
+ > > > Read This < < <
+
+default_options.h.in (this file) documents compile-time options, and provides
+default values.
+
+Local customisation should be added to localoptions.h which is
+used if it exists. Options defined there will override any options in this
+file (#ifndef guards added by ifndef_wrapper.sh).
+
+Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
+
+IMPORTANT: Many options will require "make clean" after changes */
+
+#define DROPBEAR_DEFPORT "22"
+
+/* Listen on all interfaces */
+#define DROPBEAR_DEFADDRESS ""
+
+/* Default hostkey paths - these can be specified on the command line */
+#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
+#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
+#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
+
+/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
+ * on chosen ports and keeps accepting connections. This is the default.
+ *
+ * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
+ * similar), where it will use stdin/stdout for connections, and each process
+ * lasts for a single connection. Dropbear should be invoked with the -i flag
+ * for inetd, and can only accept IPv4 connections.
+ *
+ * Both of these flags can be defined at once, don't compile without at least
+ * one of them. */
+#define NON_INETD_MODE 1
+#define INETD_MODE 1
+
+/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
+ * perhaps 20% slower for pubkey operations (it is probably worth experimenting
+ * if you want to use this) */
+/*#define NO_FAST_EXPTMOD*/
+
+/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
+several kB in binary size however will make the symmetrical ciphers and hashes
+slower, perhaps by 50%. Recommended for small systems that aren't doing
+much traffic. */
+#define DROPBEAR_SMALL_CODE 1
+
+/* Enable X11 Forwarding - server only */
+#define DROPBEAR_X11FWD 1
+
+/* Enable TCP Fowarding */
+/* 'Local' is "-L" style (client listening port forwarded via server)
+ * 'Remote' is "-R" style (server listening port forwarded via client) */
+
+#define DROPBEAR_CLI_LOCALTCPFWD 1
+#define DROPBEAR_CLI_REMOTETCPFWD 1
+
+#define DROPBEAR_SVR_LOCALTCPFWD 1
+#define DROPBEAR_SVR_REMOTETCPFWD 1
+
+/* Enable Authentication Agent Forwarding */
+#define DROPBEAR_SVR_AGENTFWD 1
+#define DROPBEAR_CLI_AGENTFWD 1
+
+
+/* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
+ * allow multihop dbclient connections */
+
+/* Allow using -J <proxycommand> to run the connection through a
+ pipe to a program, rather the normal TCP connection */
+#define DROPBEAR_CLI_PROXYCMD 1
+
+/* Enable "Netcat mode" option. This will forward standard input/output
+ * to a remote TCP-forwarded connection */
+#define DROPBEAR_CLI_NETCAT 1
+
+/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
+#define ENABLE_USER_ALGO_LIST 1
+
+/* Encryption - at least one required.
+ * Protocol RFC requires 3DES and recommends AES128 for interoperability.
+ * Including multiple keysize variants the same cipher
+ * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+#define DROPBEAR_AES128 1
+#define DROPBEAR_3DES 1
+#define DROPBEAR_AES256 1
+/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+/*#define DROPBEAR_BLOWFISH*/
+#define DROPBEAR_TWOFISH256 1
+#define DROPBEAR_TWOFISH128 1
+
+/* Enable CBC mode for ciphers. This has security issues though
+ * is the most compatible with older SSH implementations */
+#define DROPBEAR_ENABLE_CBC_MODE 1
+
+/* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. It is recommended for security
+ * and forwards compatibility */
+#define DROPBEAR_ENABLE_CTR_MODE 1
+
+/* Twofish counter mode is disabled by default because it
+has not been tested for interoperability with other SSH implementations.
+If you test it please contact the Dropbear author */
+#define DROPBEAR_TWOFISH_CTR 0
+
+/* Message integrity. sha2-256 is recommended as a default,
+ sha1 for compatibility */
+#define DROPBEAR_SHA1_HMAC 1
+#define DROPBEAR_SHA1_96_HMAC 1
+#define DROPBEAR_SHA2_256_HMAC 1
+/* Default is to include it is sha512 is being compiled in for ECDSA */
+#define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
+
+/* XXX needed for fingerprints */
+#define DROPBEAR_MD5_HMAC 0
+
+/* Hostkey/public key algorithms - at least one required, these are used
+ * for hostkey as well as for verifying signatures with pubkey auth.
+ * Removing either of these won't save very much space.
+ * RSA is recommended
+ * DSS may be necessary to connect to some systems though
+ is not recommended for new keys */
+#define DROPBEAR_RSA 1
+#define DROPBEAR_DSS 1
+/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
+#define DROPBEAR_ECDSA 1
+
+/* Add runtime flag "-R" to generate hostkeys as-needed when the first
+ connection using that key type occurs.
+ This avoids the need to otherwise run "dropbearkey" and avoids some problems
+ with badly seeded /dev/urandom when systems first boot. */
+#define DROPBEAR_DELAY_HOSTKEY 1
+
+/* Enable Curve25519 for key exchange. This is another elliptic
+ * curve method with good security properties. Increases binary size
+ * by ~8kB on x86-64 */
+#define DROPBEAR_CURVE25519 1
+
+/* Enable elliptic curve Diffie Hellman key exchange, see note about
+ * ECDSA above */
+#define DROPBEAR_ECDH 1
+
+/* Key exchange algorithm.
+ * group14_sha1 - 2048 bit, sha1
+ * group14_sha256 - 2048 bit, sha2-256
+ * group16 - 4096 bit, sha2-512
+ * group1 - 1024 bit, sha1
+ *
+ * group14 is supported by most implementations.
+ * group16 provides a greater strength level but is slower and increases binary size
+ * group1 is too small for security though is necessary if you need
+ compatibility with some implementations such as Dropbear versions < 0.53
+ */
+#define DROPBEAR_DH_GROUP1 1
+#define DROPBEAR_DH_GROUP14_SHA1 1
+#define DROPBEAR_DH_GROUP14_SHA256 1
+#define DROPBEAR_DH_GROUP16 0
+
+/* Control the memory/performance/compression tradeoff for zlib.
+ * Set windowBits=8 for least memory usage, see your system's
+ * zlib.h for full details.
+ * Default settings (windowBits=15) will use 256kB for compression
+ * windowBits=8 will use 129kB for compression.
+ * Both modes will use ~35kB for decompression (using windowBits=15 for
+ * interoperability) */
+#define DROPBEAR_ZLIB_WINDOW_BITS 15
+
+/* Whether to do reverse DNS lookups. */
+#define DO_HOST_LOOKUP 0
+
+/* Whether to print the message of the day (MOTD). */
+#define DO_MOTD 0
+
+/* The MOTD file path */
+#define MOTD_FILENAME "/etc/motd"
+
+/* Authentication Types - at least one required.
+ RFC Draft requires pubkey auth, and recommends password */
+
+/* Note: PAM auth is quite simple and only works for PAM modules which just do
+ * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
+ * It's useful for systems like OS X where standard password crypts don't work
+ * but there's an interface via a PAM module. It won't work for more complex
+ * PAM challenge/response.
+ * You can't enable both PASSWORD and PAM. */
+
+/* This requires crypt() */
+#ifdef HAVE_CRYPT
+#define DROPBEAR_SVR_PASSWORD_AUTH 1
+#else
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
+#endif
+/* PAM requires ./configure --enable-pam */
+#define DROPBEAR_SVR_PAM_AUTH 0
+#define DROPBEAR_SVR_PUBKEY_AUTH 1
+
+/* Whether to take public key options in
+ * authorized_keys file into account */
+#define DROPBEAR_SVR_PUBKEY_OPTIONS 1
+
+/* This requires getpass. */
+#ifdef HAVE_GETPASS
+#define DROPBEAR_CLI_PASSWORD_AUTH 1
+#define DROPBEAR_CLI_INTERACT_AUTH 1
+#endif
+#define DROPBEAR_CLI_PUBKEY_AUTH 1
+
+/* A default argument for dbclient -i <privatekey>.
+Homedir is prepended unless path begins with / */
+#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
+
+/* This variable can be used to set a password for client
+ * authentication on the commandline. Beware of platforms
+ * that don't protect environment variables of processes etc. Also
+ * note that it will be provided for all "hidden" client-interactive
+ * style prompts - if you want something more sophisticated, use
+ * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
+#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
+
+/* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
+ * specified in the SSH_ASKPASS environment variable, and dbclient
+ * should be run with DISPLAY set and no tty. The program should
+ * return the password on standard output */
+#define DROPBEAR_CLI_ASKPASS_HELPER 0
+
+/* Save a network roundtrip by sendng a real auth request immediately after
+ * sending a query for the available methods. It is at the expense of < 100
+ * bytes of extra network traffic. This is not yet enabled by default since it
+ * could cause problems with non-compliant servers */
+#define DROPBEAR_CLI_IMMEDIATE_AUTH 0
+
+/* Source for randomness. This must be able to provide hundreds of bytes per SSH
+ * connection without blocking. In addition /dev/random is used for seeding
+ * rsa/dss key generation */
+#define DROPBEAR_URANDOM_DEV "/dev/urandom"
+
+/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
+/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
+
+
+/* Specify the number of clients we will allow to be connected but
+ * not yet authenticated. After this limit, connections are rejected */
+/* The first setting is per-IP, to avoid denial of service */
+#define MAX_UNAUTH_PER_IP 5
+
+/* And then a global limit to avoid chewing memory if connections
+ * come from many IPs */
+#define MAX_UNAUTH_CLIENTS 30
+
+/* Maximum number of failed authentication tries (server option) */
+#define MAX_AUTH_TRIES 10
+
+/* The default file to store the daemon's process ID, for shutdown
+ scripts etc. This can be overridden with the -P flag */
+#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
+
+/* The command to invoke for xauth when using X11 forwarding.
+ * "-q" for quiet */
+#define XAUTH_COMMAND "/usr/bin/xauth -q"
+
+/* if you want to enable running an sftp server (such as the one included with
+ * OpenSSH), set the path below. If the path isn't defined, sftp will not
+ * be enabled */
+#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
+
+/* This is used by the scp binary when used as a client binary. If you're
+ * not using the Dropbear client, you'll need to change it */
+#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
+
+/* Whether to log commands executed by a client. This only logs the
+ * (single) command sent to the server, not what a user did in a
+ * shell/sftp session etc. */
+#define LOG_COMMANDS 0
+
+/* Window size limits. These tend to be a trade-off between memory
+ usage and network performance: */
+/* Size of the network receive window. This amount of memory is allocated
+ as a per-channel receive buffer. Increasing this value can make a
+ significant difference to network performance. 24kB was empirically
+ chosen for a 100mbit ethernet network. The value can be altered at
+ runtime with the -W argument. */
+#define DEFAULT_RECV_WINDOW 24576
+/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
+ in order to interoperate with other implementations */
+#define RECV_MAX_PAYLOAD_LEN 32768
+/* Maximum size of a transmitted data packet - this can be any value,
+ though increasing it may not make a significant difference. */
+#define TRANS_MAX_PAYLOAD_LEN 16384
+
+/* Ensure that data is transmitted every KEEPALIVE seconds. This can
+be overridden at runtime with -K. 0 disables keepalives */
+#define DEFAULT_KEEPALIVE 0
+
+/* If this many KEEPALIVES are sent with no packets received from the
+other side, exit. Not run-time configurable - if you have a need
+for runtime configuration please mail the Dropbear list */
+#define DEFAULT_KEEPALIVE_LIMIT 3
+
+/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
+be overridden at runtime with -I. 0 disables idle timeouts */
+#define DEFAULT_IDLE_TIMEOUT 0
+
+/* The default path. This will often get replaced by the shell */
+#define DEFAULT_PATH "/usr/bin:/bin"
+
+#endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
diff --git a/dropbear.8 b/dropbear.8
index 71200d9..be73372 100644
--- a/dropbear.8
+++ b/dropbear.8
@@ -91,6 +91,10 @@
.B \-I \fIidle_timeout
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
.TP
+.B \-c \fIforced_command
+Disregard the command provided by the user and always run \fIforced_command\fR. This also
+overrides any authorized_keys command= option.
+.TP
.B \-V
Print the version
@@ -129,6 +133,7 @@
.TP
.B command=\fR"\fIforced_command\fR"
Disregard the command provided by the user and always run \fIforced_command\fR.
+The -c command line option overrides this.
The authorized_keys file and its containing ~/.ssh directory must only be
writable by the user, otherwise Dropbear will not allow a login using public
diff --git a/dropbearconvert.c b/dropbearconvert.c
index 37ee7ac..7285f23 100644
--- a/dropbearconvert.c
+++ b/dropbearconvert.c
@@ -53,8 +53,8 @@
progname);
}
-#if defined(DBMULTI_dropbearconvert) || !defined(DROPBEAR_MULTI)
-#if defined(DBMULTI_dropbearconvert) && defined(DROPBEAR_MULTI)
+#if defined(DBMULTI_dropbearconvert) || !DROPBEAR_MULTI
+#if defined(DBMULTI_dropbearconvert) && DROPBEAR_MULTI
int dropbearconvert_main(int argc, char ** argv) {
#else
int main(int argc, char ** argv) {
@@ -67,7 +67,7 @@
crypto_init();
seedrandom();
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
/* It's hard for it to get in the way _too_ much */
debug_trace = 1;
#endif
diff --git a/dropbearkey.c b/dropbearkey.c
index 644de94..6ea68b4 100644
--- a/dropbearkey.c
+++ b/dropbearkey.c
@@ -67,36 +67,36 @@
fprintf(stderr, "Usage: %s -t <type> -f <filename> [-s bits]\n"
"-t type Type of key to generate. One of:\n"
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
" rsa\n"
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
" dss\n"
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
" ecdsa\n"
#endif
"-f filename Use filename for the secret key.\n"
" ~/.ssh/id_dropbear is recommended for client keys.\n"
"-s bits Key size in bits, should be a multiple of 8 (optional)\n"
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
" DSS has a fixed size of 1024 bits\n"
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
" ECDSA has sizes "
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
"256 "
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
"384 "
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
"521 "
#endif
"\n"
#endif
"-y Just print the publickey and fingerprint for the\n private key in <filename>.\n"
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
"-v verbose\n"
#endif
,progname);
@@ -106,7 +106,7 @@
static void check_signkey_bits(enum signkey_type type, int bits)
{
switch (type) {
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
case DROPBEAR_SIGNKEY_RSA:
if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a"
@@ -126,8 +126,8 @@
}
}
-#if defined(DBMULTI_dropbearkey) || !defined(DROPBEAR_MULTI)
-#if defined(DBMULTI_dropbearkey) && defined(DROPBEAR_MULTI)
+#if defined(DBMULTI_dropbearkey) || !DROPBEAR_MULTI
+#if defined(DBMULTI_dropbearkey) && DROPBEAR_MULTI
int dropbearkey_main(int argc, char ** argv) {
#else
int main(int argc, char ** argv) {
@@ -174,7 +174,7 @@
printhelp(argv[0]);
exit(EXIT_SUCCESS);
break;
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
case 'v':
debug_trace = 1;
break;
@@ -206,19 +206,19 @@
exit(EXIT_FAILURE);
}
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (strcmp(typetext, "rsa") == 0)
{
keytype = DROPBEAR_SIGNKEY_RSA;
}
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (strcmp(typetext, "dss") == 0)
{
keytype = DROPBEAR_SIGNKEY_DSS;
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (strcmp(typetext, "ecdsa") == 0)
{
keytype = DROPBEAR_SIGNKEY_ECDSA_KEYGEN;
diff --git a/dss.c b/dss.c
index b771ec0..7754107 100644
--- a/dss.c
+++ b/dss.c
@@ -37,7 +37,7 @@
* See FIPS186 or the Handbook of Applied Cryptography for details of the
* algorithm */
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
/* Load a dss key from a buffer, initialising the values.
* The key will have the same format as buf_put_dss_key.
@@ -153,7 +153,7 @@
}
-#ifdef DROPBEAR_SIGNKEY_VERIFY
+#if DROPBEAR_SIGNKEY_VERIFY
/* Verify a DSS signature (in buf) made on data by the key given.
* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) {
diff --git a/dss.h b/dss.h
index 4f164f3..adf2d55 100644
--- a/dss.h
+++ b/dss.h
@@ -28,7 +28,7 @@
#include "includes.h"
#include "buffer.h"
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
typedef struct {
@@ -42,7 +42,7 @@
} dropbear_dss_key;
void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
-#ifdef DROPBEAR_SIGNKEY_VERIFY
+#if DROPBEAR_SIGNKEY_VERIFY
int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
#endif
int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key);
diff --git a/ecc.c b/ecc.c
index e252884..9d97b5d 100644
--- a/ecc.c
+++ b/ecc.c
@@ -4,10 +4,10 @@
#include "dbutil.h"
#include "bignum.h"
-#ifdef DROPBEAR_ECC
+#if DROPBEAR_ECC
/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
struct dropbear_ecc_curve ecc_curve_nistp256 = {
32, /* .ltc_size */
NULL, /* .dp */
@@ -15,7 +15,7 @@
"nistp256" /* .name */
};
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
struct dropbear_ecc_curve ecc_curve_nistp384 = {
48, /* .ltc_size */
NULL, /* .dp */
@@ -23,7 +23,7 @@
"nistp384" /* .name */
};
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
struct dropbear_ecc_curve ecc_curve_nistp521 = {
66, /* .ltc_size */
NULL, /* .dp */
@@ -33,13 +33,13 @@
#endif
struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
&ecc_curve_nistp256,
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
&ecc_curve_nistp384,
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
&ecc_curve_nistp521,
#endif
NULL
diff --git a/ecc.h b/ecc.h
index 291cee0..22639c2 100644
--- a/ecc.h
+++ b/ecc.h
@@ -6,7 +6,7 @@
#include "buffer.h"
-#ifdef DROPBEAR_ECC
+#if DROPBEAR_ECC
struct dropbear_ecc_curve {
int ltc_size; /* to match the byte sizes in ltc_ecc_sets[] */
diff --git a/ecdsa.c b/ecdsa.c
index 14558b6..ed378be 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -6,7 +6,7 @@
#include "ecdsa.h"
#include "signkey.h"
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
int signkey_is_ecdsa(enum signkey_type type)
{
@@ -16,17 +16,17 @@
}
enum signkey_type ecdsa_signkey_type(ecc_key * key) {
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
if (key->dp == ecc_curve_nistp256.dp) {
return DROPBEAR_SIGNKEY_ECDSA_NISTP256;
}
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
if (key->dp == ecc_curve_nistp384.dp) {
return DROPBEAR_SIGNKEY_ECDSA_NISTP384;
}
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
if (key->dp == ecc_curve_nistp521.dp) {
return DROPBEAR_SIGNKEY_ECDSA_NISTP521;
}
@@ -38,17 +38,17 @@
const ltc_ecc_set_type *dp = NULL; /* curve domain parameters */
ecc_key *new_key = NULL;
switch (bit_size) {
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
case 256:
dp = ecc_curve_nistp256.dp;
break;
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
case 384:
dp = ecc_curve_nistp384.dp;
break;
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
case 521:
dp = ecc_curve_nistp521.dp;
break;
@@ -56,13 +56,13 @@
}
if (!dp) {
dropbear_exit("Key size %d isn't valid. Try "
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
"256 "
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
"384 "
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
"521 "
#endif
, bit_size);
diff --git a/ecdsa.h b/ecdsa.h
index 24792cb..84a8b50 100644
--- a/ecdsa.h
+++ b/ecdsa.h
@@ -5,14 +5,14 @@
#include "buffer.h"
#include "signkey.h"
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
/* Prefer the larger size - it's fast anyway */
-#if defined(DROPBEAR_ECC_521)
+#if DROPBEAR_ECC_521
#define ECDSA_DEFAULT_SIZE 521
-#elif defined(DROPBEAR_ECC_384)
+#elif DROPBEAR_ECC_384
#define ECDSA_DEFAULT_SIZE 384
-#elif defined(DROPBEAR_ECC_256)
+#elif DROPBEAR_ECC_256
#define ECDSA_DEFAULT_SIZE 256
#else
#define ECDSA_DEFAULT_SIZE 0
diff --git a/gendss.c b/gendss.c
index 783e25f..2b342a6 100644
--- a/gendss.c
+++ b/gendss.c
@@ -35,7 +35,7 @@
/* This is just a test */
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
static void getq(dropbear_dss_key *key);
static void getp(dropbear_dss_key *key, unsigned int size);
diff --git a/gendss.h b/gendss.h
index 8292ac9..33858f2 100644
--- a/gendss.h
+++ b/gendss.h
@@ -27,7 +27,7 @@
#include "dss.h"
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
dropbear_dss_key * gen_dss_priv_key(unsigned int size);
diff --git a/genrsa.c b/genrsa.c
index dfd81b3..e9aca76 100644
--- a/genrsa.c
+++ b/genrsa.c
@@ -31,7 +31,7 @@
#define RSA_E 65537
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
static void getrsaprime(mp_int* prime, mp_int *primeminus,
mp_int* rsa_e, unsigned int size_bytes);
diff --git a/genrsa.h b/genrsa.h
index acb43fb..641d5a5 100644
--- a/genrsa.h
+++ b/genrsa.h
@@ -27,7 +27,7 @@
#include "rsa.h"
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
dropbear_rsa_key * gen_rsa_priv_key(unsigned int size);
diff --git a/gensignkey.c b/gensignkey.c
index cdc16e6..55facc3 100644
--- a/gensignkey.c
+++ b/gensignkey.c
@@ -53,15 +53,15 @@
static int get_default_bits(enum signkey_type keytype)
{
switch (keytype) {
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
case DROPBEAR_SIGNKEY_RSA:
return RSA_DEFAULT_SIZE;
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
case DROPBEAR_SIGNKEY_DSS:
return DSS_DEFAULT_SIZE;
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
case DROPBEAR_SIGNKEY_ECDSA_KEYGEN:
return ECDSA_DEFAULT_SIZE;
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
@@ -92,17 +92,17 @@
seedrandom();
switch(keytype) {
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
case DROPBEAR_SIGNKEY_RSA:
key->rsakey = gen_rsa_priv_key(bits);
break;
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
case DROPBEAR_SIGNKEY_DSS:
key->dsskey = gen_dss_priv_key(bits);
break;
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
case DROPBEAR_SIGNKEY_ECDSA_KEYGEN:
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
diff --git a/ifndef_wrapper.sh b/ifndef_wrapper.sh
new file mode 100755
index 0000000..a5c5ce6
--- /dev/null
+++ b/ifndef_wrapper.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Wrap all "#define X Y" with a #ifndef X...#endif"
+
+sed -E 's/^(#define ([^ ]+) .*)/#ifndef \2\
+\1\
+#endif/'
diff --git a/kex.h b/kex.h
index ece995d..7b98cd5 100644
--- a/kex.h
+++ b/kex.h
@@ -40,14 +40,14 @@
void kexdh_comb_key(struct kex_dh_param *param, mp_int *dh_pub_them,
sign_key *hostkey);
-#ifdef DROPBEAR_ECDH
+#if DROPBEAR_ECDH
struct kex_ecdh_param *gen_kexecdh_param(void);
void free_kexecdh_param(struct kex_ecdh_param *param);
void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them,
sign_key *hostkey);
#endif
-#ifdef DROPBEAR_CURVE25519
+#if DROPBEAR_CURVE25519
struct kex_curve25519_param *gen_kexcurve25519_param(void);
void free_kexcurve25519_param(struct kex_curve25519_param *param);
void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *pub_them,
@@ -88,13 +88,13 @@
mp_int priv; /* x */
};
-#ifdef DROPBEAR_ECDH
+#if DROPBEAR_ECDH
struct kex_ecdh_param {
ecc_key key;
};
#endif
-#ifdef DROPBEAR_CURVE25519
+#if DROPBEAR_CURVE25519
#define CURVE25519_LEN 32
struct kex_curve25519_param {
unsigned char priv[CURVE25519_LEN];
diff --git a/keyimport.c b/keyimport.c
index 66a6df7..d64a6f7 100644
--- a/keyimport.c
+++ b/keyimport.c
@@ -36,9 +36,11 @@
#include "dbutil.h"
#include "ecc.h"
+#if DROPBEAR_ECDSA
static const unsigned char OID_SEC256R1_BLOB[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
static const unsigned char OID_SEC384R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
static const unsigned char OID_SEC521R1_BLOB[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
+#endif
#define PUT_32BIT(cp, value) do { \
(cp)[3] = (unsigned char)(value); \
@@ -60,6 +62,8 @@
static int dropbear_write(const char*filename, sign_key * key);
static sign_key *dropbear_read(const char* filename);
+static int toint(unsigned u);
+
#if 0
static int sshcom_encrypted(const char *filename, char **comment);
static struct ssh2_userkey *sshcom_read(const char *filename, char *passphrase);
@@ -241,12 +245,11 @@
if ((*p & 0x1F) == 0x1F) {
*id = 0;
while (*p & 0x80) {
- *id = (*id << 7) | (*p & 0x7F);
p++, sourcelen--;
if (sourcelen == 0)
return -1;
+ *id = (*id << 7) | (*p & 0x7F);
}
- *id = (*id << 7) | (*p & 0x7F);
p++, sourcelen--;
} else {
*id = *p & 0x1F;
@@ -257,19 +260,26 @@
return -1;
if (*p & 0x80) {
+ unsigned len;
int n = *p & 0x7F;
p++, sourcelen--;
if (sourcelen < n)
return -1;
- *length = 0;
+ len = 0;
while (n--)
- *length = (*length << 8) | (*p++);
+ len = (len << 8) | (*p++);
sourcelen -= n;
+ *length = toint(len);
} else {
*length = *p;
p++, sourcelen--;
}
+ if (*length < 0) {
+ printf("Negative ASN.1 length\n");
+ return -1;
+ }
+
return p - (unsigned char *) source;
}
@@ -467,7 +477,7 @@
m_burn(buffer, sizeof(buffer));
return ret;
- error:
+error:
m_burn(buffer, sizeof(buffer));
if (ret) {
if (ret->keyblob) {
@@ -582,8 +592,9 @@
/* Expect the SEQUENCE header. Take its absence as a failure to decrypt. */
ret = ber_read_id_len(p, key->keyblob_len, &id, &len, &flags);
p += ret;
- if (ret < 0 || id != 16) {
- errmsg = "ASN.1 decoding failure - wrong password?";
+ if (ret < 0 || id != 16 || len < 0 ||
+ key->keyblob+key->keyblob_len-p < len) {
+ errmsg = "ASN.1 decoding failure";
goto error;
}
@@ -600,13 +611,13 @@
*/
blobbuf = buf_new(3000);
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (key->type == OSSH_DSA) {
buf_putstring(blobbuf, "ssh-dss", 7);
retkey->type = DROPBEAR_SIGNKEY_DSS;
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (key->type == OSSH_RSA) {
buf_putstring(blobbuf, "ssh-rsa", 7);
retkey->type = DROPBEAR_SIGNKEY_RSA;
@@ -617,7 +628,7 @@
ret = ber_read_id_len(p, key->keyblob+key->keyblob_len-p,
&id, &len, &flags);
p += ret;
- if (ret < 0 || id != 2 ||
+ if (ret < 0 || id != 2 || len < 0 ||
key->keyblob+key->keyblob_len-p < len) {
errmsg = "ASN.1 decoding failure";
goto error;
@@ -666,7 +677,7 @@
p += len;
}
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (key->type == OSSH_EC) {
unsigned char* private_key_bytes = NULL;
int private_key_len = 0;
@@ -683,7 +694,7 @@
&id, &len, &flags);
p += ret;
/* id==4 for octet string */
- if (ret < 0 || id != 4 ||
+ if (ret < 0 || id != 4 || len < 0 ||
key->keyblob+key->keyblob_len-p < len) {
errmsg = "ASN.1 decoding failure";
goto error;
@@ -697,7 +708,7 @@
&id, &len, &flags);
p += ret;
/* id==0 */
- if (ret < 0 || id != 0) {
+ if (ret < 0 || id != 0 || len < 0) {
errmsg = "ASN.1 decoding failure";
goto error;
}
@@ -706,28 +717,28 @@
&id, &len, &flags);
p += ret;
/* id==6 for object */
- if (ret < 0 || id != 6 ||
+ if (ret < 0 || id != 6 || len < 0 ||
key->keyblob+key->keyblob_len-p < len) {
errmsg = "ASN.1 decoding failure";
goto error;
}
if (0) {}
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECC_256
else if (len == sizeof(OID_SEC256R1_BLOB)
&& memcmp(p, OID_SEC256R1_BLOB, len) == 0) {
retkey->type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
curve = &ecc_curve_nistp256;
}
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
else if (len == sizeof(OID_SEC384R1_BLOB)
&& memcmp(p, OID_SEC384R1_BLOB, len) == 0) {
retkey->type = DROPBEAR_SIGNKEY_ECDSA_NISTP384;
curve = &ecc_curve_nistp384;
}
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
else if (len == sizeof(OID_SEC521R1_BLOB)
&& memcmp(p, OID_SEC521R1_BLOB, len) == 0) {
retkey->type = DROPBEAR_SIGNKEY_ECDSA_NISTP521;
@@ -745,7 +756,7 @@
&id, &len, &flags);
p += ret;
/* id==1 */
- if (ret < 0 || id != 1) {
+ if (ret < 0 || id != 1 || len < 0) {
errmsg = "ASN.1 decoding failure";
goto error;
}
@@ -754,7 +765,7 @@
&id, &len, &flags);
p += ret;
/* id==3 for bit string */
- if (ret < 0 || id != 3 ||
+ if (ret < 0 || id != 3 || len < 0 ||
key->keyblob+key->keyblob_len-p < len) {
errmsg = "ASN.1 decoding failure";
goto error;
@@ -830,15 +841,15 @@
int ret = 0;
FILE *fp;
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
mp_int dmp1, dmq1, iqmp, tmpval; /* for rsa */
#endif
if (
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
key->type == DROPBEAR_SIGNKEY_RSA ||
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
key->type == DROPBEAR_SIGNKEY_DSS ||
#endif
0)
@@ -1024,7 +1035,7 @@
}
} /* end RSA and DSS handling */
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (key->type == DROPBEAR_SIGNKEY_ECDSA_NISTP256
|| key->type == DROPBEAR_SIGNKEY_ECDSA_NISTP384
|| key->type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
@@ -1379,7 +1390,7 @@
memset(ret->keyblob, 0, ret->keyblob_size);
m_free(ret->keyblob);
}
- memset(&ret, 0, sizeof(ret));
+ memset(ret, 0, sizeof(*ret));
m_free(ret);
}
return NULL;
@@ -1407,11 +1418,12 @@
pos = 8;
if (key->keyblob_len < pos+4)
goto done; /* key is far too short */
- pos += 4 + GET_32BIT(key->keyblob + pos); /* skip key type */
- if (key->keyblob_len < pos+4)
+ len = toint(GET_32BIT(key->keyblob + pos));
+ if (len < 0 || len > key->keyblob_len - pos - 4)
goto done; /* key is far too short */
- len = GET_32BIT(key->keyblob + pos); /* find cipher-type length */
- if (key->keyblob_len < pos+4+len)
+ pos += 4 + len; /* skip key type */
+ len = toint(GET_32BIT(key->keyblob + pos)); /* find cipher-type length */
+ if (len < 0 || len > key->keyblob_len - pos - 4)
goto done; /* cipher type string is incomplete */
if (len != 4 || 0 != memcmp(key->keyblob + pos + 4, "none", 4))
answer = 1;
@@ -1420,15 +1432,14 @@
*comment = dupstr(key->comment);
memset(key->keyblob, 0, key->keyblob_size);
m_free(key->keyblob);
- memset(&key, 0, sizeof(key));
+ memset(key, 0, sizeof(*key));
m_free(key);
return answer;
}
static int sshcom_read_mpint(void *data, int len, struct mpint_pos *ret)
{
- int bits;
- int bytes;
+ unsigned bits, bytes;
unsigned char *d = (unsigned char *) data;
if (len < 4)
@@ -1481,7 +1492,7 @@
struct ssh2_userkey *ret = NULL, *retkey;
const struct ssh_signkey *alg;
unsigned char *blob = NULL;
- int blobsize, publen, privlen;
+ int blobsize = 0, publen, privlen;
if (!key)
return NULL;
@@ -1601,8 +1612,8 @@
/*
* Strip away the containing string to get to the real meat.
*/
- len = GET_32BIT(ciphertext);
- if (len > cipherlen-4) {
+ len = toint(GET_32BIT(ciphertext));
+ if (len < 0 || len > cipherlen-4) {
errmsg = "containing string was ill-formed";
goto error;
}
@@ -1669,7 +1680,8 @@
publen = pos;
pos += put_mp(blob+pos, x.start, x.bytes);
privlen = pos - publen;
- }
+ } else
+ return NULL;
dropbear_assert(privlen > 0); /* should have bombed by now if not */
@@ -1693,7 +1705,7 @@
}
memset(key->keyblob, 0, key->keyblob_size);
m_free(key->keyblob);
- memset(&key, 0, sizeof(key));
+ memset(key, 0, sizeof(*key));
m_free(key);
return ret;
}
@@ -1906,3 +1918,27 @@
return ret;
}
#endif /* ssh.com stuff disabled */
+
+/* From PuTTY misc.c */
+static int toint(unsigned u)
+{
+ /*
+ * Convert an unsigned to an int, without running into the
+ * undefined behaviour which happens by the strict C standard if
+ * the value overflows. You'd hope that sensible compilers would
+ * do the sensible thing in response to a cast, but actually I
+ * don't trust modern compilers not to do silly things like
+ * assuming that _obviously_ you wouldn't have caused an overflow
+ * and so they can elide an 'if (i < 0)' test immediately after
+ * the cast.
+ *
+ * Sensible compilers ought of course to optimise this entire
+ * function into 'just return the input value'!
+ */
+ if (u <= (unsigned)INT_MAX)
+ return (int)u;
+ else if (u >= (unsigned)INT_MIN) /* wrap in cast _to_ unsigned is OK */
+ return INT_MIN + (int)(u - (unsigned)INT_MIN);
+ else
+ return INT_MIN; /* fallback; should never occur on binary machines */
+}
diff --git a/ltc_prng.c b/ltc_prng.c
index aa68cce..1188ac8 100644
--- a/ltc_prng.c
+++ b/ltc_prng.c
@@ -26,7 +26,7 @@
* in the various other functions.
*/
-#ifdef DROPBEAR_LTC_PRNG
+#if DROPBEAR_LTC_PRNG
/**
Start the PRNG
diff --git a/ltc_prng.h b/ltc_prng.h
index 6888512..5e00759 100644
--- a/ltc_prng.h
+++ b/ltc_prng.h
@@ -4,7 +4,7 @@
#include "options.h"
#include "includes.h"
-#ifdef DROPBEAR_LTC_PRNG
+#if DROPBEAR_LTC_PRNG
extern const struct ltc_prng_descriptor dropbear_prng_desc;
diff --git a/netio.c b/netio.c
index 6c13a00..2e57534 100644
--- a/netio.c
+++ b/netio.c
@@ -53,7 +53,7 @@
struct addrinfo *r;
int res = 0;
int fastopen = 0;
-#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN
+#if DROPBEAR_CLIENT_TCP_FAST_OPEN
struct msghdr message;
#endif
@@ -61,7 +61,7 @@
{
dropbear_assert(c->sock == -1);
- c->sock = socket(c->res_iter->ai_family, c->res_iter->ai_socktype, c->res_iter->ai_protocol);
+ c->sock = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
if (c->sock < 0) {
continue;
}
@@ -70,7 +70,7 @@
set_sock_nodelay(c->sock);
setnonblocking(c->sock);
-#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN
+#if DROPBEAR_CLIENT_TCP_FAST_OPEN
fastopen = (c->writequeue != NULL);
if (fastopen) {
@@ -290,7 +290,7 @@
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val));
}
-#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
+#if DROPBEAR_SERVER_TCP_FAST_OPEN
void set_listen_fast_open(int sock) {
int qlen = MAX(MAX_UNAUTH_PER_IP, 5);
if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) {
diff --git a/netio.h b/netio.h
index f6a1095..6a29bdf 100644
--- a/netio.h
+++ b/netio.h
@@ -48,7 +48,7 @@
void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count);
void packet_queue_consume(struct Queue *queue, ssize_t written);
-#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
+#if DROPBEAR_SERVER_TCP_FAST_OPEN
/* Try for any Linux builds, will fall back if the kernel doesn't support it */
void set_listen_fast_open(int sock);
/* Define values which may be supported by the kernel even if the libc is too old */
diff --git a/options.h b/options.h
index 0c51bb1..9350020 100644
--- a/options.h
+++ b/options.h
@@ -1,356 +1,19 @@
-/* Dropbear SSH
- * Copyright (c) 2002,2003 Matt Johnston
- * All rights reserved. See LICENSE for the license. */
+#ifndef DROPBEAR_OPTIONS_H
+#define DROPBEAR_OPTIONS_H
-#ifndef DROPBEAR_OPTIONS_H_
-#define DROPBEAR_OPTIONS_H_
+/*
+Local compile-time configuration should be defined in localoptions.h
+See default_options.h.in for a description of the available options.
+*/
-/* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
- * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
-
-/* IMPORTANT: Many options will require "make clean" after changes */
-
-#ifndef DROPBEAR_DEFPORT
-#define DROPBEAR_DEFPORT "22"
+#ifdef LOCALOPTIONS_H_EXISTS
+#include "localoptions.h"
#endif
-#ifndef DROPBEAR_DEFADDRESS
-/* Listen on all interfaces */
-#define DROPBEAR_DEFADDRESS ""
-#endif
+#include "default_options.h"
-/* Default hostkey paths - these can be specified on the command line */
-#ifndef DSS_PRIV_FILENAME
-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
-#endif
-#ifndef RSA_PRIV_FILENAME
-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
-#endif
-#ifndef ECDSA_PRIV_FILENAME
-#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
-#endif
-
-/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
- * on chosen ports and keeps accepting connections. This is the default.
- *
- * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
- * similar), where it will use stdin/stdout for connections, and each process
- * lasts for a single connection. Dropbear should be invoked with the -i flag
- * for inetd, and can only accept IPv4 connections.
- *
- * Both of these flags can be defined at once, don't compile without at least
- * one of them. */
-#define NON_INETD_MODE
-#define INETD_MODE
-
-/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
- * if you want to use this) */
-/*#define NO_FAST_EXPTMOD*/
-
-/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
-several kB in binary size however will make the symmetrical ciphers and hashes
-slower, perhaps by 50%. Recommended for small systems that aren't doing
-much traffic. */
-#define DROPBEAR_SMALL_CODE
-
-/* Enable X11 Forwarding - server only */
-#define ENABLE_X11FWD
-
-/* Enable TCP Fowarding */
-/* 'Local' is "-L" style (client listening port forwarded via server)
- * 'Remote' is "-R" style (server listening port forwarded via client) */
-
-#define ENABLE_CLI_LOCALTCPFWD
-#define ENABLE_CLI_REMOTETCPFWD
-
-#define ENABLE_SVR_LOCALTCPFWD
-#define ENABLE_SVR_REMOTETCPFWD
-
-/* Enable Authentication Agent Forwarding */
-#define ENABLE_SVR_AGENTFWD
-#define ENABLE_CLI_AGENTFWD
-
-
-/* Note: Both ENABLE_CLI_PROXYCMD and ENABLE_CLI_NETCAT must be set to
- * allow multihop dbclient connections */
-
-/* Allow using -J <proxycommand> to run the connection through a
- pipe to a program, rather the normal TCP connection */
-#define ENABLE_CLI_PROXYCMD
-
-/* Enable "Netcat mode" option. This will forward standard input/output
- * to a remote TCP-forwarded connection */
-#define ENABLE_CLI_NETCAT
-
-/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
-#define ENABLE_USER_ALGO_LIST
-
-/* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
- * Including multiple keysize variants the same cipher
- * (eg AES256 as well as AES128) will result in a minimal size increase.*/
-#define DROPBEAR_AES128
-#define DROPBEAR_3DES
-#define DROPBEAR_AES256
-/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
-/*#define DROPBEAR_BLOWFISH*/
-#define DROPBEAR_TWOFISH256
-#define DROPBEAR_TWOFISH128
-
-/* Enable CBC mode for ciphers. This has security issues though
- * is the most compatible with older SSH implementations */
-#define DROPBEAR_ENABLE_CBC_MODE
-
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
- * CBC mode against certain attacks. It is recommended for security
- * and forwards compatibility */
-#define DROPBEAR_ENABLE_CTR_MODE
-
-/* Twofish counter mode is disabled by default because it
-has not been tested for interoperability with other SSH implementations.
-If you test it please contact the Dropbear author */
-/* #define DROPBEAR_TWOFISH_CTR */
-
-/* You can compile with no encryption if you want. In some circumstances
- * this could be safe security-wise, though make sure you know what
- * you're doing. Anyone can see everything that goes over the wire, so
- * the only safe auth method is public key. */
-/* #define DROPBEAR_NONE_CIPHER */
-
-/* Message Integrity - at least one required.
- * Protocol RFC requires sha1 and recommends sha1-96.
- * sha1-96 is of use for slow links as it has a smaller overhead.
- *
- * There's no reason to disable sha1 or sha1-96 to save space since it's
- * used for the random number generator and public-key cryptography anyway.
- * Disabling it here will just stop it from being used as the integrity portion
- * of the ssh protocol.
- *
- * These hashes are also used for public key fingerprints in logs.
- * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
- * which are not the standard form. */
-#define DROPBEAR_SHA1_HMAC
-#define DROPBEAR_SHA1_96_HMAC
-#define DROPBEAR_SHA2_256_HMAC
-#define DROPBEAR_SHA2_512_HMAC
-#define DROPBEAR_MD5_HMAC
-
-/* You can also disable integrity. Don't bother disabling this if you're
- * still using a cipher, it's relatively cheap. If you disable this it's dead
- * simple for an attacker to run arbitrary commands on the remote host. Beware. */
-/* #define DROPBEAR_NONE_INTEGRITY */
-
-/* Hostkey/public key algorithms - at least one required, these are used
- * for hostkey as well as for verifying signatures with pubkey auth.
- * Removing either of these won't save very much space.
- * SSH2 RFC Draft requires dss, recommends rsa */
-#define DROPBEAR_RSA
-#define DROPBEAR_DSS
-/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
- * code (either ECDSA or ECDH) increases binary size - around 30kB
- * on x86-64 */
-#define DROPBEAR_ECDSA
-
-/* Generate hostkeys as-needed when the first connection using that key type occurs.
- This avoids the need to otherwise run "dropbearkey" and avoids some problems
- with badly seeded /dev/urandom when systems first boot.
- This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly
- anything if dropbearkey is linked in a "dropbearmulti" binary) */
-#define DROPBEAR_DELAY_HOSTKEY
-
-/* Enable Curve25519 for key exchange. This is another elliptic
- * curve method with good security properties. Increases binary size
- * by ~8kB on x86-64 */
-#define DROPBEAR_CURVE25519
-
-/* Enable elliptic curve Diffie Hellman key exchange, see note about
- * ECDSA above */
-#define DROPBEAR_ECDH
-
-/* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though
- is the only option for interoperability with some older SSH programs */
-#define DROPBEAR_DH_GROUP1 1
-#define DROPBEAR_DH_GROUP14 1
-
-/* Control the memory/performance/compression tradeoff for zlib.
- * Set windowBits=8 for least memory usage, see your system's
- * zlib.h for full details.
- * Default settings (windowBits=15) will use 256kB for compression
- * windowBits=8 will use 129kB for compression.
- * Both modes will use ~35kB for decompression (using windowBits=15 for
- * interoperability) */
-#ifndef DROPBEAR_ZLIB_WINDOW_BITS
-#define DROPBEAR_ZLIB_WINDOW_BITS 15
-#endif
-
-/* Server won't allow zlib compression until after authentication. Prevents
- flaws in the zlib library being unauthenticated exploitable flaws.
- Some old ssh clients may not support the alternative zlib@openssh.com method */
-#define DROPBEAR_SERVER_DELAY_ZLIB 1
-
-/* Whether to do reverse DNS lookups. */
-/*#define DO_HOST_LOOKUP */
-
-/* Whether to print the message of the day (MOTD). This doesn't add much code
- * size */
-#define DO_MOTD
-
-/* The MOTD file path */
-#ifndef MOTD_FILENAME
-#define MOTD_FILENAME "/etc/motd"
-#endif
-
-/* Authentication Types - at least one required.
- RFC Draft requires pubkey auth, and recommends password */
-
-/* Note: PAM auth is quite simple and only works for PAM modules which just do
- * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
- * It's useful for systems like OS X where standard password crypts don't work
- * but there's an interface via a PAM module. It won't work for more complex
- * PAM challenge/response.
- * You can't enable both PASSWORD and PAM. */
-
-/* This requires crypt() */
-#ifdef HAVE_CRYPT
-#define ENABLE_SVR_PASSWORD_AUTH
-#endif
-/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH */
-#define ENABLE_SVR_PUBKEY_AUTH
-
-/* Whether to take public key options in
- * authorized_keys file into account */
-#ifdef ENABLE_SVR_PUBKEY_AUTH
-#define ENABLE_SVR_PUBKEY_OPTIONS
-#endif
-
-/* This requires getpass. */
-#ifdef HAVE_GETPASS
-#define ENABLE_CLI_PASSWORD_AUTH
-#define ENABLE_CLI_INTERACT_AUTH
-#endif
-#define ENABLE_CLI_PUBKEY_AUTH
-
-/* A default argument for dbclient -i <privatekey>.
-Homedir is prepended unless path begins with / */
-#define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
-
-/* This variable can be used to set a password for client
- * authentication on the commandline. Beware of platforms
- * that don't protect environment variables of processes etc. Also
- * note that it will be provided for all "hidden" client-interactive
- * style prompts - if you want something more sophisticated, use
- * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
-
-/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
- * a helper program for the ssh client. The helper program should be
- * specified in the SSH_ASKPASS environment variable, and dbclient
- * should be run with DISPLAY set and no tty. The program should
- * return the password on standard output */
-/*#define ENABLE_CLI_ASKPASS_HELPER*/
-
-/* Save a network roundtrip by sendng a real auth request immediately after
- * sending a query for the available methods. It is at the expense of < 100
- * bytes of extra network traffic. This is not yet enabled by default since it
- * could cause problems with non-compliant servers */
-/* #define DROPBEAR_CLI_IMMEDIATE_AUTH */
-
-/* Source for randomness. This must be able to provide hundreds of bytes per SSH
- * connection without blocking. In addition /dev/random is used for seeding
- * rsa/dss key generation */
-#define DROPBEAR_URANDOM_DEV "/dev/urandom"
-
-/* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
-/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
-
-
-/* Specify the number of clients we will allow to be connected but
- * not yet authenticated. After this limit, connections are rejected */
-/* The first setting is per-IP, to avoid denial of service */
-#ifndef MAX_UNAUTH_PER_IP
-#define MAX_UNAUTH_PER_IP 5
-#endif
-
-/* And then a global limit to avoid chewing memory if connections
- * come from many IPs */
-#ifndef MAX_UNAUTH_CLIENTS
-#define MAX_UNAUTH_CLIENTS 30
-#endif
-
-/* Maximum number of failed authentication tries (server option) */
-#ifndef MAX_AUTH_TRIES
-#define MAX_AUTH_TRIES 10
-#endif
-
-/* The default file to store the daemon's process ID, for shutdown
- scripts etc. This can be overridden with the -P flag */
-#ifndef DROPBEAR_PIDFILE
-#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
-#endif
-
-/* The command to invoke for xauth when using X11 forwarding.
- * "-q" for quiet */
-#ifndef XAUTH_COMMAND
-#define XAUTH_COMMAND "/usr/bin/xauth -q"
-#endif
-
-/* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
- * be enabled */
-#ifndef SFTPSERVER_PATH
-#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
-#endif
-
-/* This is used by the scp binary when used as a client binary. If you're
- * not using the Dropbear client, you'll need to change it */
-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
-
-/* Whether to log commands executed by a client. This only logs the
- * (single) command sent to the server, not what a user did in a
- * shell/sftp session etc. */
-/* #define LOG_COMMANDS */
-
-/* Window size limits. These tend to be a trade-off between memory
- usage and network performance: */
-/* Size of the network receive window. This amount of memory is allocated
- as a per-channel receive buffer. Increasing this value can make a
- significant difference to network performance. 24kB was empirically
- chosen for a 100mbit ethernet network. The value can be altered at
- runtime with the -W argument. */
-#ifndef DEFAULT_RECV_WINDOW
-#define DEFAULT_RECV_WINDOW 24576
-#endif
-/* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
- in order to interoperate with other implementations */
-#ifndef RECV_MAX_PAYLOAD_LEN
-#define RECV_MAX_PAYLOAD_LEN 32768
-#endif
-/* Maximum size of a transmitted data packet - this can be any value,
- though increasing it may not make a significant difference. */
-#ifndef TRANS_MAX_PAYLOAD_LEN
-#define TRANS_MAX_PAYLOAD_LEN 16384
-#endif
-
-/* Ensure that data is transmitted every KEEPALIVE seconds. This can
-be overridden at runtime with -K. 0 disables keepalives */
-#define DEFAULT_KEEPALIVE 0
-
-/* If this many KEEPALIVES are sent with no packets received from the
-other side, exit. Not run-time configurable - if you have a need
-for runtime configuration please mail the Dropbear list */
-#define DEFAULT_KEEPALIVE_LIMIT 3
-
-/* Ensure that data is received within IDLE_TIMEOUT seconds. This can
-be overridden at runtime with -I. 0 disables idle timeouts */
-#define DEFAULT_IDLE_TIMEOUT 0
-
-/* The default path. This will often get replaced by the shell */
-#define DEFAULT_PATH "/usr/bin:/bin"
-
-/* Some other defines (that mostly should be left alone) are defined
+/* Some other defines that mostly should be left alone are defined
* in sysoptions.h */
#include "sysoptions.h"
-#endif /* DROPBEAR_OPTIONS_H_ */
+#endif /* DROPBEAR_OPTIONS_H */
diff --git a/rsa.c b/rsa.c
index 4fa4088..0e6639e 100644
--- a/rsa.c
+++ b/rsa.c
@@ -36,7 +36,7 @@
#include "ssh.h"
#include "dbrandom.h"
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
static void rsa_pad_em(dropbear_rsa_key * key,
buffer *data_buf, mp_int * rsa_em);
@@ -204,7 +204,7 @@
}
-#ifdef DROPBEAR_SIGNKEY_VERIFY
+#if DROPBEAR_SIGNKEY_VERIFY
/* Verify a signature in buf, made on data by the key given.
* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf) {
@@ -279,7 +279,7 @@
/* the actual signing of the padded data */
-#ifdef RSA_BLINDING
+#if DROPBEAR_RSA_BLINDING
/* With blinding, s = (r^(-1))((em)*r^e)^d mod n */
@@ -322,7 +322,7 @@
dropbear_exit("RSA error");
}
-#endif /* RSA_BLINDING */
+#endif /* DROPBEAR_RSA_BLINDING */
mp_clear_multi(&rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
diff --git a/rsa.h b/rsa.h
index 94bde5c..57be5bb 100644
--- a/rsa.h
+++ b/rsa.h
@@ -28,7 +28,7 @@
#include "includes.h"
#include "buffer.h"
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
#define RSA_SIGNATURE_SIZE (4+7+4+40)
@@ -44,7 +44,7 @@
} dropbear_rsa_key;
void buf_put_rsa_sign(buffer* buf, dropbear_rsa_key *key, buffer *data_buf);
-#ifdef DROPBEAR_SIGNKEY_VERIFY
+#if DROPBEAR_SIGNKEY_VERIFY
int buf_rsa_verify(buffer * buf, dropbear_rsa_key *key, buffer *data_buf);
#endif
int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key);
diff --git a/runopts.h b/runopts.h
index f7c869d..cecdc22 100644
--- a/runopts.h
+++ b/runopts.h
@@ -33,8 +33,8 @@
typedef struct runopts {
-#if defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) \
- || defined(ENABLE_CLI_REMOTETCPFWD)
+#if DROPBEAR_SVR_REMOTETCPFWD || DROPBEAR_CLI_LOCALTCPFWD \
+ || DROPBEAR_CLI_REMOTETCPFWD
int listen_fwd_all;
#endif
unsigned int recv_window;
@@ -53,7 +53,7 @@
} compress_mode;
#endif
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
char *cipher_list;
char *mac_list;
#endif
@@ -97,10 +97,10 @@
int norootpass;
int allowblankpass;
-#ifdef ENABLE_SVR_REMOTETCPFWD
+#if DROPBEAR_SVR_REMOTETCPFWD
int noremotetcp;
#endif
-#ifdef ENABLE_SVR_LOCALTCPFWD
+#if DROPBEAR_SVR_LOCALTCPFWD
int nolocaltcp;
#endif
@@ -114,6 +114,8 @@
buffer * banner;
char * pidfile;
+ char * forced_command;
+
} svr_runopts;
extern svr_runopts svr_opts;
@@ -137,19 +139,19 @@
int no_cmd;
int backgrounded;
int is_subsystem;
-#ifdef ENABLE_CLI_PUBKEY_AUTH
+#if DROPBEAR_CLI_PUBKEY_AUTH
m_list *privkeys; /* Keys to use for public-key auth */
#endif
-#ifdef ENABLE_CLI_ANYTCPFWD
+#if DROPBEAR_CLI_ANYTCPFWD
int exit_on_fwd_failure;
#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
+#if DROPBEAR_CLI_REMOTETCPFWD
m_list * remotefwds;
#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
+#if DROPBEAR_CLI_LOCALTCPFWD
m_list * localfwds;
#endif
-#ifdef ENABLE_CLI_AGENTFWD
+#if DROPBEAR_CLI_AGENTFWD
int agent_fwd;
int agent_keys_loaded; /* whether pubkeys has been populated with a
list of keys held by the agent */
@@ -157,11 +159,11 @@
agent sessions have their own file descriptors */
#endif
-#ifdef ENABLE_CLI_NETCAT
+#if DROPBEAR_CLI_NETCAT
char *netcat_host;
unsigned int netcat_port;
#endif
-#ifdef ENABLE_CLI_PROXYCMD
+#if DROPBEAR_CLI_PROXYCMD
char *proxycmd;
#endif
} cli_runopts;
@@ -169,7 +171,7 @@
extern cli_runopts cli_opts;
void cli_getopts(int argc, char ** argv);
-#ifdef ENABLE_USER_ALGO_LIST
+#if DROPBEAR_USER_ALGO_LIST
void parse_ciphers_macs(void);
#endif
diff --git a/scp.c b/scp.c
index 5690330..742ae00 100644
--- a/scp.c
+++ b/scp.c
@@ -133,7 +133,7 @@
fprintf(stderr, " %s", a->list[i]);
fprintf(stderr, "\n");
}
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
pid = vfork();
#else
pid = fork();
@@ -144,7 +144,7 @@
if (pid == 0) {
execvp(a->list[0], a->list);
perror(a->list[0]);
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
_exit(1);
#else
exit(1);
@@ -213,12 +213,12 @@
/* uClinux needs to build the args here before vforking,
otherwise we do it later on. */
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
arg_setup(host, remuser, cmd);
#endif
/* Fork a child to execute the command on the remote host using ssh. */
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
do_cmd_pid = vfork();
#else
do_cmd_pid = fork();
@@ -233,13 +233,13 @@
close(pin[0]);
close(pout[1]);
-#ifndef USE_VFORK
+#if !DROPBEAR_VFORK
arg_setup(host, remuser, cmd);
#endif
execvp(ssh_program, args.list);
perror(ssh_program);
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
_exit(1);
#else
exit(1);
@@ -248,7 +248,7 @@
fatal("fork: %s", strerror(errno));
}
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
/* clean up command */
/* pop cmd */
xfree(args.list[args.num-1]);
@@ -304,8 +304,8 @@
void toremote(char *, int, char *[]);
void usage(void);
-#if defined(DBMULTI_scp) || !defined(DROPBEAR_MULTI)
-#if defined(DBMULTI_scp) && defined(DROPBEAR_MULTI)
+#if defined(DBMULTI_scp) || !DROPBEAR_MULTI
+#if defined(DBMULTI_scp) && DROPBEAR_MULTI
int scp_main(int argc, char **argv)
#else
int
diff --git a/session.h b/session.h
index 3a3569d..5d9e2ab 100644
--- a/session.h
+++ b/session.h
@@ -79,7 +79,7 @@
/* actual keys */
union {
symmetric_CBC cbc;
-#ifdef DROPBEAR_ENABLE_CTR_MODE
+#if DROPBEAR_ENABLE_CTR_MODE
symmetric_CTR ctr;
#endif
} cipher_state;
@@ -237,7 +237,7 @@
/* The resolved remote address, used for lastlog etc */
char *remotehost;
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
pid_t server_pid;
#endif
@@ -288,7 +288,7 @@
int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
for the last type of auth we tried */
int ignore_next_auth_response;
-#ifdef ENABLE_CLI_INTERACT_AUTH
+#if DROPBEAR_CLI_INTERACT_AUTH
int auth_interact_failed; /* flag whether interactive auth can still
be used */
int interact_request_received; /* flag whether we've received an
@@ -311,11 +311,11 @@
/* Global structs storing the state */
extern struct sshsession ses;
-#ifdef DROPBEAR_SERVER
+#if DROPBEAR_SERVER
extern struct serversession svr_ses;
#endif /* DROPBEAR_SERVER */
-#ifdef DROPBEAR_CLIENT
+#if DROPBEAR_CLIENT
extern struct clientsession cli_ses;
#endif /* DROPBEAR_CLIENT */
diff --git a/signkey.c b/signkey.c
index 9cbf2b0..2c29431 100644
--- a/signkey.c
+++ b/signkey.c
@@ -30,13 +30,13 @@
#include "ecdsa.h"
static const char * const signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = {
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
"ssh-rsa",
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
"ssh-dss",
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
"ecdsa-sha2-nistp256",
"ecdsa-sha2-nistp384",
"ecdsa-sha2-nistp521"
@@ -75,7 +75,7 @@
if (namelen == strlen(fixed_name)
&& memcmp(fixed_name, name, namelen) == 0) {
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
/* Some of the ECDSA key sizes are defined even if they're not compiled in */
if (0
#ifndef DROPBEAR_ECC_256
@@ -106,25 +106,25 @@
void **
signkey_key_ptr(sign_key *key, enum signkey_type type) {
switch (type) {
-#ifdef DROPBEAR_ECDSA
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDSA
+#if DROPBEAR_ECC_256
case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
return (void**)&key->ecckey256;
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
return (void**)&key->ecckey384;
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
return (void**)&key->ecckey521;
#endif
#endif /* DROPBEAR_ECDSA */
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
case DROPBEAR_SIGNKEY_RSA:
return (void**)&key->rsakey;
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
case DROPBEAR_SIGNKEY_DSS:
return (void**)&key->dsskey;
#endif
@@ -161,7 +161,7 @@
/* Rewind the buffer back before "ssh-rsa" etc */
buf_incrpos(buf, -len - 4);
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (keytype == DROPBEAR_SIGNKEY_DSS) {
dss_key_free(key->dsskey);
key->dsskey = m_malloc(sizeof(*key->dsskey));
@@ -171,7 +171,7 @@
}
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (keytype == DROPBEAR_SIGNKEY_RSA) {
rsa_key_free(key->rsakey);
key->rsakey = m_malloc(sizeof(*key->rsakey));
@@ -181,7 +181,7 @@
}
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (signkey_is_ecdsa(keytype)) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
if (eck) {
@@ -230,7 +230,7 @@
/* Rewind the buffer back before "ssh-rsa" etc */
buf_incrpos(buf, -len - 4);
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (keytype == DROPBEAR_SIGNKEY_DSS) {
dss_key_free(key->dsskey);
key->dsskey = m_malloc(sizeof(*key->dsskey));
@@ -240,7 +240,7 @@
}
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (keytype == DROPBEAR_SIGNKEY_RSA) {
rsa_key_free(key->rsakey);
key->rsakey = m_malloc(sizeof(*key->rsakey));
@@ -250,7 +250,7 @@
}
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (signkey_is_ecdsa(keytype)) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
if (eck) {
@@ -281,17 +281,17 @@
TRACE2(("enter buf_put_pub_key"))
pubkeys = buf_new(MAX_PUBKEY_SIZE);
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
buf_put_dss_pub_key(pubkeys, key->dsskey);
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
buf_put_rsa_pub_key(pubkeys, key->rsakey);
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (signkey_is_ecdsa(type)) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
if (eck) {
@@ -314,21 +314,21 @@
TRACE(("enter buf_put_priv_key"))
TRACE(("type is %d", type))
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
buf_put_dss_priv_key(buf, key->dsskey);
TRACE(("leave buf_put_priv_key: dss done"))
return;
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
buf_put_rsa_priv_key(buf, key->rsakey);
TRACE(("leave buf_put_priv_key: rsa done"))
return;
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (signkey_is_ecdsa(type)) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
if (eck) {
@@ -345,30 +345,30 @@
TRACE2(("enter sign_key_free"))
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
dss_key_free(key->dsskey);
key->dsskey = NULL;
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
rsa_key_free(key->rsakey);
key->rsakey = NULL;
#endif
-#ifdef DROPBEAR_ECDSA
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDSA
+#if DROPBEAR_ECC_256
if (key->ecckey256) {
ecc_free(key->ecckey256);
m_free(key->ecckey256);
key->ecckey256 = NULL;
}
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
if (key->ecckey384) {
ecc_free(key->ecckey384);
m_free(key->ecckey384);
key->ecckey384 = NULL;
}
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
if (key->ecckey521) {
ecc_free(key->ecckey521);
m_free(key->ecckey521);
@@ -395,7 +395,7 @@
/* Since we're not sure if we'll have md5 or sha1, we present both.
* MD5 is used in preference, but sha1 could still be useful */
-#ifdef DROPBEAR_MD5_HMAC
+#if DROPBEAR_MD5_HMAC
static char * sign_key_md5_fingerprint(unsigned char* keyblob,
unsigned int keybloblen) {
@@ -470,7 +470,7 @@
* in either sha1 or md5 */
char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
-#ifdef DROPBEAR_MD5_HMAC
+#if DROPBEAR_MD5_HMAC
return sign_key_md5_fingerprint(keyblob, keybloblen);
#else
return sign_key_sha1_fingerprint(keyblob, keybloblen);
@@ -482,17 +482,17 @@
buffer *sigblob;
sigblob = buf_new(MAX_PUBKEY_SIZE);
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
buf_put_dss_sign(sigblob, key->dsskey, data_buf);
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
buf_put_rsa_sign(sigblob, key->rsakey, data_buf);
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (signkey_is_ecdsa(type)) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
if (eck) {
@@ -508,7 +508,7 @@
}
-#ifdef DROPBEAR_SIGNKEY_VERIFY
+#if DROPBEAR_SIGNKEY_VERIFY
/* Return DROPBEAR_SUCCESS or DROPBEAR_FAILURE.
* If FAILURE is returned, the position of
* buf is undefined. If SUCCESS is returned, buf will be positioned after the
@@ -526,7 +526,7 @@
type = signkey_type_from_name(type_name, type_name_len);
m_free(type_name);
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
if (key->dsskey == NULL) {
dropbear_exit("No DSS key to verify signature");
@@ -535,7 +535,7 @@
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
if (key->rsakey == NULL) {
dropbear_exit("No RSA key to verify signature");
@@ -543,7 +543,7 @@
return buf_rsa_verify(buf, key->rsakey, data_buf);
}
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
if (signkey_is_ecdsa(type)) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
if (eck) {
@@ -557,7 +557,7 @@
}
#endif /* DROPBEAR_SIGNKEY_VERIFY */
-#ifdef DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
+#if DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
/* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE when given a buffer containing
* a key, a key, and a type. The buffer is positioned at the start of the
diff --git a/signkey.h b/signkey.h
index 7f637e0..646c7ab 100644
--- a/signkey.h
+++ b/signkey.h
@@ -30,13 +30,13 @@
#include "rsa.h"
enum signkey_type {
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
DROPBEAR_SIGNKEY_RSA,
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
DROPBEAR_SIGNKEY_DSS,
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
DROPBEAR_SIGNKEY_ECDSA_NISTP256,
DROPBEAR_SIGNKEY_ECDSA_NISTP384,
DROPBEAR_SIGNKEY_ECDSA_NISTP521,
@@ -61,20 +61,20 @@
signkey_source source;
char *filename;
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
dropbear_dss_key * dsskey;
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
dropbear_rsa_key * rsakey;
#endif
-#ifdef DROPBEAR_ECDSA
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDSA
+#if DROPBEAR_ECC_256
ecc_key * ecckey256;
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
ecc_key * ecckey384;
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
ecc_key * ecckey521;
#endif
#endif
@@ -91,7 +91,7 @@
void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type);
void sign_key_free(sign_key *key);
void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, buffer *data_buf);
-#ifdef DROPBEAR_SIGNKEY_VERIFY
+#if DROPBEAR_SIGNKEY_VERIFY
int buf_verify(buffer * buf, sign_key *key, buffer *data_buf);
char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen);
#endif
diff --git a/svr-agentfwd.c b/svr-agentfwd.c
index 512cbd2..d88f203 100644
--- a/svr-agentfwd.c
+++ b/svr-agentfwd.c
@@ -27,7 +27,7 @@
#include "includes.h"
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
#include "agentfwd.h"
#include "session.h"
diff --git a/svr-auth.c b/svr-auth.c
index 577ea88..4dc280c 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -56,10 +56,10 @@
static void authclear() {
memset(&ses.authstate, 0, sizeof(ses.authstate));
-#ifdef ENABLE_SVR_PUBKEY_AUTH
+#if DROPBEAR_SVR_PUBKEY_AUTH
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
#endif
-#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
+#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
if (!svr_opts.noauthpass) {
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
}
@@ -169,7 +169,7 @@
}
}
-#ifdef ENABLE_SVR_PASSWORD_AUTH
+#if DROPBEAR_SVR_PASSWORD_AUTH
if (!svr_opts.noauthpass &&
!(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
/* user wants to try password auth */
@@ -184,7 +184,7 @@
}
#endif
-#ifdef ENABLE_SVR_PAM_AUTH
+#if DROPBEAR_SVR_PAM_AUTH
if (!svr_opts.noauthpass &&
!(svr_opts.norootpass && ses.authstate.pw_uid == 0) ) {
/* user wants to try password auth */
@@ -199,7 +199,7 @@
}
#endif
-#ifdef ENABLE_SVR_PUBKEY_AUTH
+#if DROPBEAR_SVR_PUBKEY_AUTH
/* user wants to try pubkey auth */
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
strncmp(methodname, AUTH_METHOD_PUBKEY,
diff --git a/svr-authpam.c b/svr-authpam.c
index 98505ba..ac8e5ec 100644
--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -31,7 +31,7 @@
#include "dbutil.h"
#include "auth.h"
-#ifdef ENABLE_SVR_PAM_AUTH
+#if DROPBEAR_SVR_PAM_AUTH
#if defined(HAVE_SECURITY_PAM_APPL_H)
#include <security/pam_appl.h>
@@ -270,4 +270,4 @@
}
}
-#endif /* ENABLE_SVR_PAM_AUTH */
+#endif /* DROPBEAR_SVR_PAM_AUTH */
diff --git a/svr-authpasswd.c b/svr-authpasswd.c
index 9852ac6..bdee2aa 100644
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -31,7 +31,7 @@
#include "auth.h"
#include "runopts.h"
-#ifdef ENABLE_SVR_PASSWORD_AUTH
+#if DROPBEAR_SVR_PASSWORD_AUTH
/* not constant time when strings are differing lengths.
string content isn't leaked, and crypt hashes are predictable length. */
diff --git a/svr-authpubkey.c b/svr-authpubkey.c
index 71c347a..90d0d2c 100644
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -65,7 +65,7 @@
#include "packet.h"
#include "algo.h"
-#ifdef ENABLE_SVR_PUBKEY_AUTH
+#if DROPBEAR_SVR_PUBKEY_AUTH
#define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
#define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c
index 9bdf99d..a04426e 100644
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -47,7 +47,7 @@
#include "signkey.h"
#include "auth.h"
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
/* Returns 1 if pubkey allows agent forwarding,
* 0 otherwise */
@@ -143,14 +143,14 @@
ses.authstate.pubkey_options->no_port_forwarding_flag = 1;
goto next_option;
}
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
if (match_option(options_buf, "no-agent-forwarding") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Agent forwarding disabled.");
ses.authstate.pubkey_options->no_agent_forwarding_flag = 1;
goto next_option;
}
#endif
-#ifdef ENABLE_X11FWD
+#if DROPBEAR_X11FWD
if (match_option(options_buf, "no-X11-forwarding") == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "X11 forwarding disabled.");
ses.authstate.pubkey_options->no_x11_forwarding_flag = 1;
diff --git a/svr-chansession.c b/svr-chansession.c
index bfaf7f6..6dbc8ad 100644
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -254,13 +254,13 @@
channel->typedata = chansess;
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
chansess->x11listener = NULL;
chansess->x11authprot = NULL;
chansess->x11authcookie = NULL;
#endif
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
chansess->agentlistener = NULL;
chansess->agentfile = NULL;
chansess->agentdir = NULL;
@@ -301,7 +301,7 @@
m_free(chansess->cmd);
m_free(chansess->term);
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
m_free(chansess->original_command);
#endif
@@ -315,11 +315,11 @@
m_free(chansess->tty);
}
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
x11cleanup(chansess);
#endif
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
svr_agentcleanup(chansess);
#endif
@@ -373,11 +373,11 @@
ret = sessioncommand(channel, chansess, 1, 0);
} else if (strcmp(type, "subsystem") == 0) {
ret = sessioncommand(channel, chansess, 1, 1);
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
} else if (strcmp(type, "x11-req") == 0) {
ret = x11req(chansess);
#endif
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
} else if (strcmp(type, "auth-agent-req@openssh.com") == 0) {
ret = svr_agentreq(chansess);
#endif
@@ -603,7 +603,7 @@
return DROPBEAR_SUCCESS;
}
-#ifndef USE_VFORK
+#if !DROPBEAR_VFORK
static void make_connection_string(struct ChanSess *chansess) {
char *local_ip, *local_port, *remote_ip, *remote_port;
size_t len;
@@ -671,8 +671,16 @@
}
}
- /* take public key option 'command' into account */
- svr_pubkey_set_forced_command(chansess);
+
+ /* take global command into account */
+ if (svr_opts.forced_command) {
+ chansess->original_command = chansess->cmd ? : m_strdup("");
+ chansess->cmd = m_strdup(svr_opts.forced_command);
+ } else {
+ /* take public key option 'command' into account */
+ svr_pubkey_set_forced_command(chansess);
+ }
+
#ifdef LOG_COMMANDS
if (chansess->cmd) {
@@ -686,7 +694,7 @@
/* uClinux will vfork(), so there'll be a race as
connection_string is freed below. */
-#ifndef USE_VFORK
+#if !DROPBEAR_VFORK
make_connection_string(chansess);
#endif
@@ -702,7 +710,7 @@
ret = ptycommand(channel, chansess);
}
-#ifndef USE_VFORK
+#if !DROPBEAR_VFORK
m_free(chansess->connection_string);
m_free(chansess->client_string);
#endif
@@ -776,7 +784,7 @@
return DROPBEAR_FAILURE;
}
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
pid = vfork();
#else
pid = fork();
@@ -896,7 +904,7 @@
/* with uClinux we'll have vfork()ed, so don't want to overwrite the
* hostkey. can't think of a workaround to clear it */
-#ifndef USE_VFORK
+#if !DROPBEAR_VFORK
/* wipe the hostkey */
sign_key_free(svr_opts.hostkey);
svr_opts.hostkey = NULL;
@@ -965,7 +973,7 @@
addnewvar("SSH_CLIENT", chansess->client_string);
}
-#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
if (chansess->original_command) {
addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
}
@@ -976,11 +984,11 @@
dropbear_exit("Error changing directory");
}
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
/* set up X11 forwarding if enabled */
x11setauth(chansess);
#endif
-#ifdef ENABLE_SVR_AGENTFWD
+#if DROPBEAR_SVR_AGENTFWD
/* set up agent env variable */
svr_agentset(chansess);
#endif
diff --git a/svr-kex.c b/svr-kex.c
index f3828aa..fba9760 100644
--- a/svr-kex.c
+++ b/svr-kex.c
@@ -54,18 +54,24 @@
}
switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
case DROPBEAR_KEX_NORMAL_DH:
m_mp_init(&dh_e);
if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) {
dropbear_exit("Bad kex value");
}
break;
- case DROPBEAR_KEX_ECDH:
- case DROPBEAR_KEX_CURVE25519:
-#if defined(DROPBEAR_ECDH) || defined(DROPBEAR_CURVE25519)
- ecdh_qs = buf_getstringbuf(ses.payload);
#endif
+#if DROPBEAR_ECDH
+ case DROPBEAR_KEX_ECDH:
+#endif
+#if DROPBEAR_CURVE25519
+ case DROPBEAR_KEX_CURVE25519:
+#endif
+#if DROPBEAR_ECDH || DROPBEAR_CURVE25519
+ ecdh_qs = buf_getstringbuf(ses.payload);
break;
+#endif
}
if (ses.payload->pos != ses.payload->len) {
dropbear_exit("Bad kex value");
@@ -85,7 +91,7 @@
}
-#ifdef DROPBEAR_DELAY_HOSTKEY
+#if DROPBEAR_DELAY_HOSTKEY
static void fsync_parent_dir(const char* fn) {
#ifdef HAVE_LIBGEN_H
@@ -120,17 +126,17 @@
switch (type)
{
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
case DROPBEAR_SIGNKEY_RSA:
fn = RSA_PRIV_FILENAME;
break;
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
case DROPBEAR_SIGNKEY_DSS:
fn = DSS_PRIV_FILENAME;
break;
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
@@ -209,7 +215,7 @@
/* we can start creating the kexdh_reply packet */
CHECKCLEARTOWRITE();
-#ifdef DROPBEAR_DELAY_HOSTKEY
+#if DROPBEAR_DELAY_HOSTKEY
if (svr_opts.delay_hostkey)
{
svr_ensure_hostkey();
@@ -221,6 +227,7 @@
ses.newkeys->algo_hostkey);
switch (ses.newkeys->algo_kex->mode) {
+#if DROPBEAR_NORMAL_DH
case DROPBEAR_KEX_NORMAL_DH:
{
struct kex_dh_param * dh_param = gen_kexdh_param();
@@ -231,8 +238,9 @@
free_kexdh_param(dh_param);
}
break;
+#endif
+#if DROPBEAR_ECDH
case DROPBEAR_KEX_ECDH:
-#ifdef DROPBEAR_ECDH
{
struct kex_ecdh_param *ecdh_param = gen_kexecdh_param();
kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey);
@@ -240,18 +248,18 @@
buf_put_ecc_raw_pubkey_string(ses.writepayload, &ecdh_param->key);
free_kexecdh_param(ecdh_param);
}
-#endif
break;
+#endif
+#if DROPBEAR_CURVE25519
case DROPBEAR_KEX_CURVE25519:
-#ifdef DROPBEAR_CURVE25519
{
struct kex_curve25519_param *param = gen_kexcurve25519_param();
kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey);
buf_putstring(ses.writepayload, (const char*)param->pub, CURVE25519_LEN);
free_kexcurve25519_param(param);
}
-#endif
break;
+#endif
}
/* calc the signature */
diff --git a/svr-main.c b/svr-main.c
index b274551..d1ee764 100644
--- a/svr-main.c
+++ b/svr-main.c
@@ -43,8 +43,8 @@
#endif
static void commonsetup(void);
-#if defined(DBMULTI_dropbear) || !defined(DROPBEAR_MULTI)
-#if defined(DBMULTI_dropbear) && defined(DROPBEAR_MULTI)
+#if defined(DBMULTI_dropbear) || !DROPBEAR_MULTI
+#if defined(DBMULTI_dropbear) && DROPBEAR_MULTI
int dropbear_main(int argc, char ** argv)
#else
int main(int argc, char ** argv)
@@ -144,7 +144,7 @@
/* fork */
if (svr_opts.forkbg) {
int closefds = 0;
-#ifndef DEBUG_TRACE
+#if !DEBUG_TRACE
if (!opts.usingsyslog) {
closefds = 1;
}
@@ -429,7 +429,7 @@
for (n = 0; n < (unsigned int)nsock; n++) {
int sock = socks[sockpos + n];
set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY);
-#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN
+#if DROPBEAR_SERVER_TCP_FAST_OPEN
set_listen_fast_open(sock);
#endif
}
diff --git a/svr-runopts.c b/svr-runopts.c
index 8f60059..e6dc8a8 100644
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -46,16 +46,16 @@
" (default: none)\n"
"-r keyfile Specify hostkeys (repeatable)\n"
" defaults: \n"
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
" dss %s\n"
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
" rsa %s\n"
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
" ecdsa %s\n"
#endif
-#ifdef DROPBEAR_DELAY_HOSTKEY
+#if DROPBEAR_DELAY_HOSTKEY
"-R Create hostkeys as required\n"
#endif
"-F Don't fork into background\n"
@@ -68,17 +68,18 @@
"-m Don't display the motd on login\n"
#endif
"-w Disallow root logins\n"
-#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
+#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
"-s Disable password logins\n"
"-g Disable password logins for root\n"
"-B Allow blank password logins\n"
#endif
-#ifdef ENABLE_SVR_LOCALTCPFWD
+#if DROPBEAR_SVR_LOCALTCPFWD
"-j Disable local port forwarding\n"
#endif
-#ifdef ENABLE_SVR_REMOTETCPFWD
+#if DROPBEAR_SVR_REMOTETCPFWD
"-k Disable remote port forwarding\n"
"-a Allow connections to forwarded ports from any host\n"
+ "-c command Force executed command\n"
#endif
"-p [address:]port\n"
" Listen on specified tcp port (and optionally address),\n"
@@ -93,17 +94,17 @@
"-K <keepalive> (0 is never, default %d, in seconds)\n"
"-I <idle_timeout> (0 is never, default %d, in seconds)\n"
"-V Version\n"
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
"-v verbose (compiled with DEBUG_TRACE)\n"
#endif
,DROPBEAR_VERSION, progname,
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
DSS_PRIV_FILENAME,
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
RSA_PRIV_FILENAME,
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
ECDSA_PRIV_FILENAME,
#endif
DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
@@ -125,6 +126,7 @@
/* see printhelp() for options */
svr_opts.bannerfile = NULL;
svr_opts.banner = NULL;
+ svr_opts.forced_command = NULL;
svr_opts.forkbg = 1;
svr_opts.norootlogin = 0;
svr_opts.noauthpass = 0;
@@ -135,19 +137,15 @@
svr_opts.hostkey = NULL;
svr_opts.delay_hostkey = 0;
svr_opts.pidfile = DROPBEAR_PIDFILE;
-#ifdef ENABLE_SVR_LOCALTCPFWD
+#if DROPBEAR_SVR_LOCALTCPFWD
svr_opts.nolocaltcp = 0;
#endif
-#ifdef ENABLE_SVR_REMOTETCPFWD
+#if DROPBEAR_SVR_REMOTETCPFWD
svr_opts.noremotetcp = 0;
#endif
#ifndef DISABLE_ZLIB
-#if DROPBEAR_SERVER_DELAY_ZLIB
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
-#else
- opts.compress_mode = DROPBEAR_COMPRESS_ON;
-#endif
#endif
/* not yet
@@ -164,7 +162,7 @@
opts.keepalive_secs = DEFAULT_KEEPALIVE;
opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
-#ifdef ENABLE_SVR_REMOTETCPFWD
+#if DROPBEAR_SVR_REMOTETCPFWD
opts.listen_fwd_all = 0;
#endif
@@ -177,6 +175,9 @@
case 'b':
next = &svr_opts.bannerfile;
break;
+ case 'c':
+ next = &svr_opts.forced_command;
+ break;
case 'd':
case 'r':
next = &keyfile;
@@ -192,12 +193,12 @@
opts.usingsyslog = 0;
break;
#endif
-#ifdef ENABLE_SVR_LOCALTCPFWD
+#if DROPBEAR_SVR_LOCALTCPFWD
case 'j':
svr_opts.nolocaltcp = 1;
break;
#endif
-#ifdef ENABLE_SVR_REMOTETCPFWD
+#if DROPBEAR_SVR_REMOTETCPFWD
case 'k':
svr_opts.noremotetcp = 1;
break;
@@ -234,7 +235,7 @@
case 'I':
next = &idle_timeout_arg;
break;
-#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
+#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
case 's':
svr_opts.noauthpass = 1;
break;
@@ -252,7 +253,7 @@
case 'u':
/* backwards compatibility with old urandom option */
break;
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
case 'v':
debug_trace = 1;
break;
@@ -346,6 +347,10 @@
}
opts.idle_timeout_secs = val;
}
+
+ if (svr_opts.forced_command) {
+ dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
+ }
}
static void addportandaddress(const char* spec) {
@@ -434,30 +439,30 @@
}
}
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
loadhostkey_helper("RSA", (void**)&read_key->rsakey, (void**)&svr_opts.hostkey->rsakey, fatal_duplicate);
}
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
loadhostkey_helper("DSS", (void**)&read_key->dsskey, (void**)&svr_opts.hostkey->dsskey, fatal_duplicate);
}
#endif
-#ifdef DROPBEAR_ECDSA
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDSA
+#if DROPBEAR_ECC_256
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) {
loadhostkey_helper("ECDSA256", (void**)&read_key->ecckey256, (void**)&svr_opts.hostkey->ecckey256, fatal_duplicate);
}
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) {
loadhostkey_helper("ECDSA384", (void**)&read_key->ecckey384, (void**)&svr_opts.hostkey->ecckey384, fatal_duplicate);
}
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
loadhostkey_helper("ECDSA521", (void**)&read_key->ecckey521, (void**)&svr_opts.hostkey->ecckey521, fatal_duplicate);
}
@@ -488,25 +493,25 @@
m_free(hostkey_file);
}
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
loadhostkey(RSA_PRIV_FILENAME, 0);
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
loadhostkey(DSS_PRIV_FILENAME, 0);
#endif
-#ifdef DROPBEAR_ECDSA
+#if DROPBEAR_ECDSA
loadhostkey(ECDSA_PRIV_FILENAME, 0);
#endif
-#ifdef DROPBEAR_DELAY_HOSTKEY
+#if DROPBEAR_DELAY_HOSTKEY
if (svr_opts.delay_hostkey) {
disable_unset_keys = 0;
}
#endif
-#ifdef DROPBEAR_RSA
+#if DROPBEAR_RSA
if (disable_unset_keys && !svr_opts.hostkey->rsakey) {
disablekey(DROPBEAR_SIGNKEY_RSA);
} else {
@@ -514,7 +519,7 @@
}
#endif
-#ifdef DROPBEAR_DSS
+#if DROPBEAR_DSS
if (disable_unset_keys && !svr_opts.hostkey->dsskey) {
disablekey(DROPBEAR_SIGNKEY_DSS);
} else {
@@ -523,8 +528,8 @@
#endif
-#ifdef DROPBEAR_ECDSA
-#ifdef DROPBEAR_ECC_256
+#if DROPBEAR_ECDSA
+#if DROPBEAR_ECC_256
if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 256)
&& !svr_opts.hostkey->ecckey256) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
@@ -533,7 +538,7 @@
}
#endif
-#ifdef DROPBEAR_ECC_384
+#if DROPBEAR_ECC_384
if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 384)
&& !svr_opts.hostkey->ecckey384) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
@@ -542,7 +547,7 @@
}
#endif
-#ifdef DROPBEAR_ECC_521
+#if DROPBEAR_ECC_521
if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 521)
&& !svr_opts.hostkey->ecckey521) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
diff --git a/svr-session.c b/svr-session.c
index d14bca9..febe79a 100644
--- a/svr-session.c
+++ b/svr-session.c
@@ -62,7 +62,7 @@
{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
{SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */
{SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */
-#ifdef USING_LISTENERS
+#if DROPBEAR_LISTENERS
{SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
{SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
#endif
@@ -71,7 +71,7 @@
static const struct ChanType *svr_chantypes[] = {
&svrchansess,
-#ifdef ENABLE_SVR_LOCALTCPFWD
+#if DROPBEAR_SVR_LOCALTCPFWD
&svr_chan_tcpdirect,
#endif
NULL /* Null termination is mandatory. */
@@ -96,7 +96,7 @@
/* Initialise server specific parts of the session */
svr_ses.childpipe = childpipe;
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
svr_ses.server_pid = getpid();
#endif
svr_authinitialise();
@@ -144,33 +144,35 @@
/* failure exit - format must be <= 100 chars */
void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
-
- char fmtbuf[300];
+ char exitmsg[150];
+ char fullmsg[300];
int i;
+ /* Render the formatted exit message */
+ vsnprintf(exitmsg, sizeof(exitmsg), format, param);
+
+ /* Add the prefix depending on session/auth state */
if (!sessinitdone) {
/* before session init */
- snprintf(fmtbuf, sizeof(fmtbuf),
- "Early exit: %s", format);
+ snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg);
} else if (ses.authstate.authdone) {
/* user has authenticated */
- snprintf(fmtbuf, sizeof(fmtbuf),
+ snprintf(fullmsg, sizeof(fullmsg),
"Exit (%s): %s",
- ses.authstate.pw_name, format);
+ ses.authstate.pw_name, exitmsg);
} else if (ses.authstate.pw_name) {
/* we have a potential user */
- snprintf(fmtbuf, sizeof(fmtbuf),
+ snprintf(fullmsg, sizeof(fullmsg),
"Exit before auth (user '%s', %u fails): %s",
- ses.authstate.pw_name, ses.authstate.failcount, format);
+ ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
} else {
/* before userauth */
- snprintf(fmtbuf, sizeof(fmtbuf),
- "Exit before auth: %s", format);
+ snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg);
}
- _dropbear_log(LOG_INFO, fmtbuf, param);
+ dropbear_log(LOG_INFO, "%s", fullmsg);
-#ifdef USE_VFORK
+#if DROPBEAR_VFORK
/* For uclinux only the main server process should cleanup - we don't want
* forked children doing that */
if (svr_ses.server_pid == getpid())
@@ -211,7 +213,7 @@
/* if we are using DEBUG_TRACE, we want to print to stderr even if
* syslog is used, so it is included in error reports */
-#ifdef DEBUG_TRACE
+#if DEBUG_TRACE
havetrace = debug_trace;
#endif
diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c
index 1c8d353..e5b6d46 100644
--- a/svr-tcpfwd.c
+++ b/svr-tcpfwd.c
@@ -35,7 +35,7 @@
#include "auth.h"
#include "netio.h"
-#ifndef ENABLE_SVR_REMOTETCPFWD
+#ifndef DROPBEAR_SVR_REMOTETCPFWD
/* This is better than SSH_MSG_UNIMPLEMENTED */
void recv_msg_global_request_remotetcp() {
@@ -44,13 +44,13 @@
}
/* */
-#endif /* !ENABLE_SVR_REMOTETCPFWD */
+#endif /* !DROPBEAR_SVR_REMOTETCPFWD */
static int svr_cancelremotetcp(void);
static int svr_remotetcpreq(void);
static int newtcpdirect(struct Channel * channel);
-#ifdef ENABLE_SVR_REMOTETCPFWD
+#if DROPBEAR_SVR_REMOTETCPFWD
static const struct ChanType svr_chan_tcpremote = {
1, /* sepfds */
"forwarded-tcpip",
@@ -215,9 +215,9 @@
return ret;
}
-#endif /* ENABLE_SVR_REMOTETCPFWD */
+#endif /* DROPBEAR_SVR_REMOTETCPFWD */
-#ifdef ENABLE_SVR_LOCALTCPFWD
+#if DROPBEAR_SVR_LOCALTCPFWD
const struct ChanType svr_chan_tcpdirect = {
1, /* sepfds */
@@ -283,4 +283,4 @@
return err;
}
-#endif /* ENABLE_SVR_LOCALTCPFWD */
+#endif /* DROPBEAR_SVR_LOCALTCPFWD */
diff --git a/svr-x11fwd.c b/svr-x11fwd.c
index cf213e8..113be57 100644
--- a/svr-x11fwd.c
+++ b/svr-x11fwd.c
@@ -24,7 +24,7 @@
#include "includes.h"
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
#include "x11fwd.h"
#include "session.h"
#include "ssh.h"
diff --git a/sysoptions.h b/sysoptions.h
index 9a76655..1f357e7 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -4,7 +4,7 @@
*******************************************************************/
#ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2016.73"
+#define DROPBEAR_VERSION "2016.74"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@@ -23,14 +23,20 @@
#define AUTH_TIMEOUT 300 /* we choose 5 minutes */
#endif
+ #define DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT ((DROPBEAR_SVR_PUBKEY_AUTH) && (DROPBEAR_SVR_PUBKEY_OPTIONS))
+
/* A client should try and send an initial key exchange packet guessing
* the algorithm that will match - saves a round trip connecting, has little
* overhead if the guess was "wrong". */
-#define USE_KEX_FIRST_FOLLOWS
+#ifndef DROPBEAR_KEX_FIRST_FOLLOWS
+#define DROPBEAR_KEX_FIRST_FOLLOWS 1
+#endif
/* Use protocol extension to allow "first follows" to succeed more frequently.
* This is currently Dropbear-specific but will gracefully fallback when connecting
* to other implementations. */
-#define USE_KEXGUESS2
+#ifndef DROPBEAR_KEXGUESS2
+#define DROPBEAR_KEXGUESS2 1
+#endif
/* Minimum key sizes for DSS and RSA */
#ifndef MIN_DSS_KEYLEN
@@ -68,11 +74,11 @@
/* success/failure defines */
#define DROPBEAR_SUCCESS 0
#define DROPBEAR_FAILURE -1
+
+#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
/* Required for pubkey auth */
-#if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
-#define DROPBEAR_SIGNKEY_VERIFY
-#endif
+#define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
#define SHA1_HASH_SIZE 20
#define MD5_HASH_SIZE 16
@@ -81,56 +87,45 @@
#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
#define MAX_IV_LEN 20 /* must be same as max blocksize, */
-#if defined(DROPBEAR_SHA2_512_HMAC)
+#if DROPBEAR_SHA2_512_HMAC
#define MAX_MAC_LEN 64
-#elif defined(DROPBEAR_SHA2_256_HMAC)
+#elif DROPBEAR_SHA2_256_HMAC
#define MAX_MAC_LEN 32
#else
#define MAX_MAC_LEN 20
#endif
-#if defined(DROPBEAR_ECDH) || defined (DROPBEAR_ECDSA)
-#define DROPBEAR_ECC
+
+#define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
+
/* Debian doesn't define this in system headers */
-#ifndef LTM_DESC
-#define LTM_DESC
-#endif
+#if !defined(LTM_DESC) && (DROPBEAR_ECC)
+#define LTM_DESC
#endif
-#ifdef DROPBEAR_ECC
-#define DROPBEAR_ECC_256
-#define DROPBEAR_ECC_384
-#define DROPBEAR_ECC_521
-#endif
+#define DROPBEAR_ECC_256 (DROPBEAR_ECC)
+#define DROPBEAR_ECC_384 (DROPBEAR_ECC)
+#define DROPBEAR_ECC_521 (DROPBEAR_ECC)
-#ifdef DROPBEAR_ECC
-#define DROPBEAR_LTC_PRNG
-#endif
+#define DROPBEAR_LTC_PRNG (DROPBEAR_ECC)
/* RSA can be vulnerable to timing attacks which use the time required for
* signing to guess the private key. Blinding avoids this attack, though makes
* signing operations slightly slower. */
-#define RSA_BLINDING
+#define DROPBEAR_RSA_BLINDING 1
/* hashes which will be linked and registered */
-#if defined(DROPBEAR_SHA2_256_HMAC) || defined(DROPBEAR_ECC_256) || defined(DROPBEAR_CURVE25519) || DROPBEAR_DH_GROUP14
-#define DROPBEAR_SHA256
-#endif
-#if defined(DROPBEAR_ECC_384)
-#define DROPBEAR_SHA384
-#endif
+#define DROPBEAR_SHA256 ((DROPBEAR_SHA2_256_HMAC) || (DROPBEAR_ECC_256) \
+ || (DROPBEAR_CURVE25519) || (DROPBEAR_DH_GROUP14_SHA256))
+#define DROPBEAR_SHA384 (DROPBEAR_ECC_384)
/* LTC SHA384 depends on SHA512 */
-#if defined(DROPBEAR_SHA2_512_HMAC) || defined(DROPBEAR_ECC_521) || defined(DROPBEAR_ECC_384) || DROPBEAR_DH_GROUP16
-#define DROPBEAR_SHA512
-#endif
-#if defined(DROPBEAR_MD5_HMAC)
-#define DROPBEAR_MD5
-#endif
+#define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
+ || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16))
+#define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
-/* These are disabled in Dropbear 2016.73 by default since the spec
- draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
-#define DROPBEAR_DH_GROUP14_256 0
-#define DROPBEAR_DH_GROUP16 0
+#define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
+
+#define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
/* roughly 2x 521 bits */
#define MAX_ECC_SIZE 140
@@ -182,65 +177,47 @@
auth */
-#if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128)
-#define DROPBEAR_AES
-#endif
+#define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128))
-#if defined(DROPBEAR_TWOFISH256) || defined(DROPBEAR_TWOFISH128)
-#define DROPBEAR_TWOFISH
-#endif
+#define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128))
-#ifndef ENABLE_X11FWD
-#define DISABLE_X11FWD
-#endif
+#define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD))
-#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
-#define ENABLE_CLI_ANYTCPFWD
-#endif
+#define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD))
-#if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
-#define DROPBEAR_TCP_ACCEPT
-#endif
+#define DROPBEAR_LISTENERS \
+ ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD) || \
+ (DROPBEAR_SVR_REMOTETCPFWD) || (DROPBEAR_SVR_LOCALTCPFWD) || \
+ (DROPBEAR_SVR_AGENTFWD) || (DROPBEAR_X11FWD))
-#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
- defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
- defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_X11FWD)
-#define USING_LISTENERS
-#endif
+#define DROPBEAR_CLI_MULTIHOP ((DROPBEAR_CLI_NETCAT) && (DROPBEAR_CLI_PROXYCMD))
-#if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD)
-#define ENABLE_CLI_MULTIHOP
-#endif
+#define ENABLE_CONNECT_UNIX ((DROPBEAR_CLI_AGENTFWD) || (DROPBEAR_PRNGD_SOCKET))
-#if defined(ENABLE_CLI_AGENTFWD) || defined(DROPBEAR_PRNGD_SOCKET)
-#define ENABLE_CONNECT_UNIX
-#endif
-
-#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
-#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
-#endif
+/* if we're using authorized_keys or known_hosts */
+#define DROPBEAR_KEY_LINES ((DROPBEAR_CLIENT) || (DROPBEAR_SVR_PUBKEY_AUTH))
/* Changing this is inadvisable, it appears to have problems
* with flushing compressed data */
#define DROPBEAR_ZLIB_MEM_LEVEL 8
-#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
+#if (DROPBEAR_SVR_PASSWORD_AUTH) && (DROPBEAR_SVR_PAM_AUTH)
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
* code, if we're just compiling as client or server */
-#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)
+#if (DROPBEAR_SERVER) && (DROPBEAR_CLIENT)
#define IS_DROPBEAR_SERVER (ses.isserver == 1)
#define IS_DROPBEAR_CLIENT (ses.isserver == 0)
-#elif defined(DROPBEAR_SERVER)
+#elif DROPBEAR_SERVER
#define IS_DROPBEAR_SERVER 1
#define IS_DROPBEAR_CLIENT 0
-#elif defined(DROPBEAR_CLIENT)
+#elif DROPBEAR_CLIENT
#define IS_DROPBEAR_SERVER 0
#define IS_DROPBEAR_CLIENT 1
@@ -252,9 +229,11 @@
#endif /* neither DROPBEAR_SERVER nor DROPBEAR_CLIENT */
-#ifndef HAVE_FORK
-#define USE_VFORK
-#endif /* don't HAVE_FORK */
+#ifdef HAVE_FORK
+#define DROPBEAR_VFORK 0
+#else
+#define DROPBEAR_VFORK 1
+#endif
#if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
#define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
@@ -262,8 +241,12 @@
#define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
#endif
+#ifndef DROPBEAR_NONE_CIPHER
+#define DROPBEAR_NONE_CIPHER 0
+#endif
+
/* free memory before exiting */
-#define DROPBEAR_CLEANUP
+#define DROPBEAR_CLEANUP 1
/* Use this string since some implementations might special-case it */
#define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com"
@@ -272,8 +255,11 @@
* Currently server is enabled but client is disabled by default until there
* is further compatibility testing */
#ifdef __linux__
-#define DROPBEAR_SERVER_TCP_FAST_OPEN
-/* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */
+#define DROPBEAR_SERVER_TCP_FAST_OPEN 1
+#define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
+#else
+#define DROPBEAR_SERVER_TCP_FAST_OPEN 0
+#define DROPBEAR_CLIENT_TCP_FAST_OPEN 0
#endif
/* no include guard for this file */
diff --git a/tcp-accept.c b/tcp-accept.c
index f1f51a7..04fa25f 100644
--- a/tcp-accept.c
+++ b/tcp-accept.c
@@ -33,7 +33,7 @@
#include "listener.h"
#include "runopts.h"
-#ifdef DROPBEAR_TCP_ACCEPT
+#if DROPBEAR_TCP_ACCEPT
static void cleanup_tcp(struct Listener *listener) {
diff --git a/x11fwd.h b/x11fwd.h
index e142226..aaf964b 100644
--- a/x11fwd.h
+++ b/x11fwd.h
@@ -23,7 +23,7 @@
* SOFTWARE. */
#ifndef DROPBEAR__X11FWD_H_
#define DROPBEAR__X11FWD_H_
-#ifndef DISABLE_X11FWD
+#if DROPBEAR_X11FWD
#include "includes.h"
#include "chansession.h"