diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2023-03-06 21:50:51 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2023-03-06 21:50:51 +0800 |
| commit | 9ddedcc53ca1c00b94c7de1ea1edf7a5e34297b2 (patch) | |
| tree | 5796a1a4348b925bef0b0807a1203593589ae279 | |
| parent | 3292b8c6f1e5fcc405fa0f7a20e90a60f74037b2 (diff) | |
| parent | a992d3f0be411e0ba2b93e744df07e2189c7af0d (diff) | |
| download | dropbear-9ddedcc53ca1c00b94c7de1ea1edf7a5e34297b2.tar.gz | |
Merge branch 'build/folder-reorg' of github.com:tjkolev/dropbear
| -rw-r--r-- | .gitignore | 6 | ||||
| -rw-r--r-- | DEVELOPING.md | 93 | ||||
| -rw-r--r-- | FUZZER-NOTES.md | 78 | ||||
| -rw-r--r-- | INSTALL | 93 | ||||
| -rw-r--r-- | INSTALL.md | 82 | ||||
| -rw-r--r-- | MULTI | 22 | ||||
| -rw-r--r-- | MULTI.md | 23 | ||||
| -rw-r--r-- | Makefile.in | 105 | ||||
| -rw-r--r-- | README | 81 | ||||
| -rw-r--r-- | README.md | 74 | ||||
| -rw-r--r-- | SMALL | 56 | ||||
| -rw-r--r-- | SMALL.md | 59 | ||||
| -rwxr-xr-x | configure | 2 | ||||
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | libtomcrypt/Makefile.in | 2 | ||||
| -rw-r--r-- | libtommath/Makefile.in | 2 | ||||
| -rw-r--r-- | manpages/dbclient.1 (renamed from dbclient.1) | 0 | ||||
| -rw-r--r-- | manpages/dropbear.8 (renamed from dropbear.8) | 0 | ||||
| -rw-r--r-- | manpages/dropbearconvert.1 (renamed from dropbearconvert.1) | 0 | ||||
| -rw-r--r-- | manpages/dropbearkey.1 (renamed from dropbearkey.1) | 0 | ||||
| -rw-r--r-- | src/agentfwd.h (renamed from agentfwd.h) | 0 | ||||
| -rw-r--r-- | src/algo.h (renamed from algo.h) | 0 | ||||
| -rw-r--r-- | src/atomicio.c (renamed from atomicio.c) | 0 | ||||
| -rw-r--r-- | src/atomicio.h (renamed from atomicio.h) | 0 | ||||
| -rw-r--r-- | src/auth.h (renamed from auth.h) | 0 | ||||
| -rw-r--r-- | src/bignum.c (renamed from bignum.c) | 0 | ||||
| -rw-r--r-- | src/bignum.h (renamed from bignum.h) | 0 | ||||
| -rw-r--r-- | src/buffer.c (renamed from buffer.c) | 0 | ||||
| -rw-r--r-- | src/buffer.h (renamed from buffer.h) | 0 | ||||
| -rw-r--r-- | src/chachapoly.c (renamed from chachapoly.c) | 0 | ||||
| -rw-r--r-- | src/chachapoly.h (renamed from chachapoly.h) | 0 | ||||
| -rw-r--r-- | src/channel.h (renamed from channel.h) | 0 | ||||
| -rw-r--r-- | src/chansession.h (renamed from chansession.h) | 0 | ||||
| -rw-r--r-- | src/circbuffer.c (renamed from circbuffer.c) | 0 | ||||
| -rw-r--r-- | src/circbuffer.h (renamed from circbuffer.h) | 0 | ||||
| -rw-r--r-- | src/cli-agentfwd.c (renamed from cli-agentfwd.c) | 0 | ||||
| -rw-r--r-- | src/cli-auth.c (renamed from cli-auth.c) | 0 | ||||
| -rw-r--r-- | src/cli-authinteract.c (renamed from cli-authinteract.c) | 0 | ||||
| -rw-r--r-- | src/cli-authpasswd.c (renamed from cli-authpasswd.c) | 0 | ||||
| -rw-r--r-- | src/cli-authpubkey.c (renamed from cli-authpubkey.c) | 0 | ||||
| -rw-r--r-- | src/cli-channel.c (renamed from cli-channel.c) | 0 | ||||
| -rw-r--r-- | src/cli-chansession.c (renamed from cli-chansession.c) | 0 | ||||
| -rw-r--r-- | src/cli-kex.c (renamed from cli-kex.c) | 0 | ||||
| -rw-r--r-- | src/cli-main.c (renamed from cli-main.c) | 0 | ||||
| -rw-r--r-- | src/cli-runopts.c (renamed from cli-runopts.c) | 0 | ||||
| -rw-r--r-- | src/cli-session.c (renamed from cli-session.c) | 0 | ||||
| -rw-r--r-- | src/cli-tcpfwd.c (renamed from cli-tcpfwd.c) | 0 | ||||
| -rw-r--r-- | src/common-algo.c (renamed from common-algo.c) | 0 | ||||
| -rw-r--r-- | src/common-channel.c (renamed from common-channel.c) | 0 | ||||
| -rw-r--r-- | src/common-chansession.c (renamed from common-chansession.c) | 0 | ||||
| -rw-r--r-- | src/common-kex.c (renamed from common-kex.c) | 0 | ||||
| -rw-r--r-- | src/common-runopts.c (renamed from common-runopts.c) | 0 | ||||
| -rw-r--r-- | src/common-session.c (renamed from common-session.c) | 0 | ||||
| -rw-r--r-- | src/compat.c (renamed from compat.c) | 0 | ||||
| -rw-r--r-- | src/compat.h (renamed from compat.h) | 0 | ||||
| -rw-r--r-- | src/crypto_desc.c (renamed from crypto_desc.c) | 0 | ||||
| -rw-r--r-- | src/crypto_desc.h (renamed from crypto_desc.h) | 0 | ||||
| -rw-r--r-- | src/curve25519.c (renamed from curve25519.c) | 0 | ||||
| -rw-r--r-- | src/curve25519.h (renamed from curve25519.h) | 0 | ||||
| -rw-r--r-- | src/dbhelpers.c (renamed from dbhelpers.c) | 0 | ||||
| -rw-r--r-- | src/dbhelpers.h (renamed from dbhelpers.h) | 0 | ||||
| -rw-r--r-- | src/dbmalloc.c (renamed from dbmalloc.c) | 0 | ||||
| -rw-r--r-- | src/dbmalloc.h (renamed from dbmalloc.h) | 0 | ||||
| -rw-r--r-- | src/dbmulti.c (renamed from dbmulti.c) | 0 | ||||
| -rw-r--r-- | src/dbrandom.c (renamed from dbrandom.c) | 0 | ||||
| -rw-r--r-- | src/dbrandom.h (renamed from dbrandom.h) | 0 | ||||
| -rw-r--r-- | src/dbutil.c (renamed from dbutil.c) | 0 | ||||
| -rw-r--r-- | src/dbutil.h (renamed from dbutil.h) | 0 | ||||
| -rw-r--r-- | src/debug.h (renamed from debug.h) | 0 | ||||
| -rw-r--r-- | src/dh_groups.c (renamed from dh_groups.c) | 0 | ||||
| -rw-r--r-- | src/dh_groups.h (renamed from dh_groups.h) | 0 | ||||
| -rwxr-xr-x | src/dropbear_lint.sh (renamed from dropbear_lint.sh) | 0 | ||||
| -rw-r--r-- | src/dropbearconvert.c (renamed from dropbearconvert.c) | 0 | ||||
| -rw-r--r-- | src/dropbearkey.c (renamed from dropbearkey.c) | 0 | ||||
| -rw-r--r-- | src/dss.c (renamed from dss.c) | 0 | ||||
| -rw-r--r-- | src/dss.h (renamed from dss.h) | 0 | ||||
| -rw-r--r-- | src/ecc.c (renamed from ecc.c) | 0 | ||||
| -rw-r--r-- | src/ecc.h (renamed from ecc.h) | 0 | ||||
| -rw-r--r-- | src/ecdsa.c (renamed from ecdsa.c) | 0 | ||||
| -rw-r--r-- | src/ecdsa.h (renamed from ecdsa.h) | 0 | ||||
| -rw-r--r-- | src/ed25519.c (renamed from ed25519.c) | 0 | ||||
| -rw-r--r-- | src/ed25519.h (renamed from ed25519.h) | 0 | ||||
| -rw-r--r-- | src/fake-rfc2553.c (renamed from fake-rfc2553.c) | 0 | ||||
| -rw-r--r-- | src/fake-rfc2553.h (renamed from fake-rfc2553.h) | 0 | ||||
| -rw-r--r-- | src/filelist.txt (renamed from filelist.txt) | 0 | ||||
| -rw-r--r-- | src/fuzz-wrapfd.h (renamed from fuzz-wrapfd.h) | 0 | ||||
| -rw-r--r-- | src/fuzz.h (renamed from fuzz.h) | 0 | ||||
| -rw-r--r-- | src/gcm.c (renamed from gcm.c) | 0 | ||||
| -rw-r--r-- | src/gcm.h (renamed from gcm.h) | 0 | ||||
| -rw-r--r-- | src/gendss.c (renamed from gendss.c) | 0 | ||||
| -rw-r--r-- | src/gendss.h (renamed from gendss.h) | 0 | ||||
| -rw-r--r-- | src/gened25519.c (renamed from gened25519.c) | 0 | ||||
| -rw-r--r-- | src/gened25519.h (renamed from gened25519.h) | 0 | ||||
| -rw-r--r-- | src/genrsa.c (renamed from genrsa.c) | 0 | ||||
| -rw-r--r-- | src/genrsa.h (renamed from genrsa.h) | 0 | ||||
| -rw-r--r-- | src/gensignkey.c (renamed from gensignkey.c) | 0 | ||||
| -rw-r--r-- | src/gensignkey.h (renamed from gensignkey.h) | 0 | ||||
| -rw-r--r-- | src/includes.h (renamed from includes.h) | 4 | ||||
| -rw-r--r-- | src/kex.h (renamed from kex.h) | 0 | ||||
| -rw-r--r-- | src/keyimport.c (renamed from keyimport.c) | 0 | ||||
| -rw-r--r-- | src/keyimport.h (renamed from keyimport.h) | 0 | ||||
| -rw-r--r-- | src/list.c (renamed from list.c) | 0 | ||||
| -rw-r--r-- | src/list.h (renamed from list.h) | 0 | ||||
| -rw-r--r-- | src/listener.c (renamed from listener.c) | 0 | ||||
| -rw-r--r-- | src/listener.h (renamed from listener.h) | 0 | ||||
| -rw-r--r-- | src/loginrec.c (renamed from loginrec.c) | 0 | ||||
| -rw-r--r-- | src/loginrec.h (renamed from loginrec.h) | 0 | ||||
| -rw-r--r-- | src/ltc_prng.c (renamed from ltc_prng.c) | 0 | ||||
| -rw-r--r-- | src/ltc_prng.h (renamed from ltc_prng.h) | 0 | ||||
| -rw-r--r-- | src/netio.c (renamed from netio.c) | 0 | ||||
| -rw-r--r-- | src/netio.h (renamed from netio.h) | 0 | ||||
| -rw-r--r-- | src/options.h (renamed from options.h) | 0 | ||||
| -rw-r--r-- | src/packet.c (renamed from packet.c) | 0 | ||||
| -rw-r--r-- | src/packet.h (renamed from packet.h) | 0 | ||||
| -rw-r--r-- | src/process-packet.c (renamed from process-packet.c) | 0 | ||||
| -rw-r--r-- | src/progressmeter.c (renamed from progressmeter.c) | 0 | ||||
| -rw-r--r-- | src/progressmeter.h (renamed from progressmeter.h) | 0 | ||||
| -rw-r--r-- | src/pubkeyapi.h (renamed from pubkeyapi.h) | 0 | ||||
| -rw-r--r-- | src/queue.c (renamed from queue.c) | 0 | ||||
| -rw-r--r-- | src/queue.h (renamed from queue.h) | 0 | ||||
| -rw-r--r-- | src/rsa.c (renamed from rsa.c) | 0 | ||||
| -rw-r--r-- | src/rsa.h (renamed from rsa.h) | 0 | ||||
| -rw-r--r-- | src/runopts.h (renamed from runopts.h) | 0 | ||||
| -rw-r--r-- | src/scp.c (renamed from scp.c) | 0 | ||||
| -rw-r--r-- | src/scpmisc.c (renamed from scpmisc.c) | 0 | ||||
| -rw-r--r-- | src/scpmisc.h (renamed from scpmisc.h) | 0 | ||||
| -rw-r--r-- | src/service.h (renamed from service.h) | 0 | ||||
| -rw-r--r-- | src/session.h (renamed from session.h) | 0 | ||||
| -rw-r--r-- | src/signkey.c (renamed from signkey.c) | 0 | ||||
| -rw-r--r-- | src/signkey.h (renamed from signkey.h) | 0 | ||||
| -rw-r--r-- | src/signkey_ossh.c (renamed from signkey_ossh.c) | 0 | ||||
| -rw-r--r-- | src/signkey_ossh.h (renamed from signkey_ossh.h) | 0 | ||||
| -rw-r--r-- | src/sk-ecdsa.c (renamed from sk-ecdsa.c) | 0 | ||||
| -rw-r--r-- | src/sk-ecdsa.h (renamed from sk-ecdsa.h) | 0 | ||||
| -rw-r--r-- | src/sk-ed25519.c (renamed from sk-ed25519.c) | 0 | ||||
| -rw-r--r-- | src/sk-ed25519.h (renamed from sk-ed25519.h) | 0 | ||||
| -rw-r--r-- | src/ssh.h (renamed from ssh.h) | 0 | ||||
| -rw-r--r-- | src/sshpty.c (renamed from sshpty.c) | 0 | ||||
| -rw-r--r-- | src/sshpty.h (renamed from sshpty.h) | 0 | ||||
| -rw-r--r-- | src/svr-agentfwd.c (renamed from svr-agentfwd.c) | 0 | ||||
| -rw-r--r-- | src/svr-auth.c (renamed from svr-auth.c) | 0 | ||||
| -rw-r--r-- | src/svr-authpam.c (renamed from svr-authpam.c) | 0 | ||||
| -rw-r--r-- | src/svr-authpasswd.c (renamed from svr-authpasswd.c) | 0 | ||||
| -rw-r--r-- | src/svr-authpubkey.c (renamed from svr-authpubkey.c) | 0 | ||||
| -rw-r--r-- | src/svr-authpubkeyoptions.c (renamed from svr-authpubkeyoptions.c) | 0 | ||||
| -rw-r--r-- | src/svr-chansession.c (renamed from svr-chansession.c) | 0 | ||||
| -rw-r--r-- | src/svr-kex.c (renamed from svr-kex.c) | 0 | ||||
| -rw-r--r-- | src/svr-main.c (renamed from svr-main.c) | 0 | ||||
| -rw-r--r-- | src/svr-runopts.c (renamed from svr-runopts.c) | 0 | ||||
| -rw-r--r-- | src/svr-service.c (renamed from svr-service.c) | 0 | ||||
| -rw-r--r-- | src/svr-session.c (renamed from svr-session.c) | 0 | ||||
| -rw-r--r-- | src/svr-tcpfwd.c (renamed from svr-tcpfwd.c) | 0 | ||||
| -rw-r--r-- | src/svr-x11fwd.c (renamed from svr-x11fwd.c) | 0 | ||||
| -rw-r--r-- | src/sysoptions.h (renamed from sysoptions.h) | 0 | ||||
| -rw-r--r-- | src/tcp-accept.c (renamed from tcp-accept.c) | 0 | ||||
| -rw-r--r-- | src/tcpfwd.h (renamed from tcpfwd.h) | 0 | ||||
| -rw-r--r-- | src/termcodes.c (renamed from termcodes.c) | 0 | ||||
| -rw-r--r-- | src/termcodes.h (renamed from termcodes.h) | 0 | ||||
| -rw-r--r-- | src/x11fwd.h (renamed from x11fwd.h) | 0 | ||||
| -rw-r--r-- | test/test_dropbear.py | 6 | ||||
| -rw-r--r-- | test/test_dropbearconvert.py | 1 |
161 files changed, 375 insertions, 415 deletions
@@ -6,6 +6,7 @@ *.bbg *.prof .*.swp +/obj /autom4te.cache /config.log /config.status @@ -26,4 +27,7 @@ Makefile tags .pytest* *.pyc -/test/venv +/test/venv/ +/test/init/ +/test/fakekey +.vscode/
\ No newline at end of file diff --git a/DEVELOPING.md b/DEVELOPING.md index 1846b15..3c7f866 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -1,75 +1,62 @@ -# Developer Notes +## Developer Notes -## Building +#### Building -See [INSTALL](INSTALL) for build instructions. -[SMALL](SMALL) has hints for building smaller binaries, also see comments -in default_options.h. +See [INSTALL.md](INSTALL.md) for build instructions. +[SMALL.md](SMALL.md) has hints for building smaller binaries, also see comments in [default_options.h](./default_options.h). -## Debug printing +To be able to debug add `-g` compiler option to the `CFLAGS` environment variable. This will generate debug symbols. +``` +export CFLAGS="$CFLAGS -g" +``` -Set `#define DEBUG_TRACE 1` in localoptions.h to enable a `-v` option -for dropbear and dbclient. That prints various details of the session. For -development running `dropbear -F -E` is useful to run in the foreground. You -can set `#define DEBUG_NOFORK 1` to make dropbear a one-shot server, easy to -run under a debugger. +#### File dependencies +The GitHub [test build script](./github/workflows/build.yml) requires the [default_options.h](./default_options.h) be at the top of the repository tree. The script uses the file to generate localoptions.h with various features enabled/disabled. -## Random sources +Following are generated files in the format \<target\>: \<generator\>(\<source\>) +``` +- configure: autoconf(configure.ac) +- config.h.in: autoheader(configure.ac) +- config.h: configure(config.h.in) +- Makefile: configure(Makefile.in) +- default_options_guard.h: make(default_options.h) +``` +Although generated, the first two files are checked in as they change very infrequently. -Most cryptography requires a good random entropy source, both to generate secret -keys and in the course of a session. Dropbear uses the Linux kernel's -`getrandom()` syscall to ensure that the system RNG has been initialised before -using it. On some systems there is insufficient entropy gathered during early -boot - generating hostkeys then will block for some amount of time. -Dropbear has a `-R` option to generate hostkeys upon the first connection -as required - that will allow the system more time to gather entropy. +#### Debug printing -## Algorithms +Set `#define DEBUG_TRACE 1` in [localoptions.h](./localoptions.h) to enable a `-v` option for dropbear and dbclient. That prints various details of the session. For development running `dropbear -F -E` is useful to run in the foreground. You can set `#define DEBUG_NOFORK 1` to make dropbear a one-shot server, easy to run under a debugger. -Default algorithm lists are specified in [common-algo.c](common-algo.c). -They are in priority order, the client's first matching choice is used -(see rfc4253). -Dropbear client has `-c` and `-m` arguments to choose which are enabled at -runtime (doesn't work for server as of June 2020). +#### Random sources -Enabling/disabling algorithms is done in [localoptions.h](localoptions.h), -see [default_options.h](default_options.h). +Most cryptography requires a good random entropy source, both to generate secret keys and in the course of a session. Dropbear uses the Linux kernel's `getrandom()` syscall to ensure that the system RNG has been initialised before using it. On some systems there is insufficient entropy gathered during early boot - generating hostkeys then will block for some amount of time. Dropbear has a `-R` option to generate hostkeys upon the first connection as required - that will allow the system more time to gather entropy. -## Style +#### Algorithms -Source code is indented with tabs, width set to 4 (though width shouldn't -matter much). Braces are on the same line as functions/loops/if - try -to keep consistency with existing code. +Default algorithm lists are specified in [common-algo.c](./src/common-algo.c). They are in priority order, the client's first matching choice is used (see [rfc4253](https://www.rfc-editor.org/rfc/rfc4253.html)). Dropbear client has `-c` and `-m` arguments to choose which are enabled at runtime (doesn't work for server as of June 2020). -All `if` statements should have braces, no exceptions. +Enabling/disabling algorithms is done in [localoptions.h](./localoptions.h), see [default_options.h](./default_options.h). + +#### Style -Avoid using pointer arithmetic, instead the functions in -[buffer.h](buffer.h) should be used. +Source code is indented with tabs, width set to 4 (though width shouldn't matter much). Braces are on the same line as functions/loops/if - try to keep consistency with existing code. + +All `if` statements should have braces, no exceptions. -Some Dropbear platforms have old compilers. -Variable declarations must be at the top of a scope and -comments must be `/* */` rather than `//`. +Avoid using pointer arithmetic, instead the functions in [buffer.h](./src/buffer.h) should be used. -Pointer variables should be initialised to NULL - it can reduce the -severity of bugs. +Some Dropbear platforms have old compilers. Variable declarations must be at the top of a scope and comments must be `/* */` rather than `//`. -## Third party code +Pointer variables should be initialised to NULL - it can reduce the severity of bugs. -Libtomcrypt and libtommath are periodically synced from upstream, so -avoid making changes to that code which will need to be maintained. -Improvements can be sent upstream to the libtom project. +#### Third party code -## Non-root user +Libtomcrypt and libtommath are periodically synced from upstream, so avoid making changes to that code which will need to be maintained. Improvements can be sent upstream to the libtom project. -Dropbear server will run fine as a non-root user, allowing logins only for -that user. Password authentication probably won't work (can't read shadow -passwords). You will need to create hostkeys that are readable. +#### Non-root user -## Connection setup +Dropbear server will run fine as a non-root user, allowing logins only for that user. Password authentication probably won't work (can't read shadow passwords). You will need to create hostkeys that are readable. -Dropbear implements first_kex_packet_follows to reduce -handshake latency (rfc 4253 7.1). Some less common implementations don't -handle that, it can be a cause of problems connecting. Note also that -Dropbear may send several ssh packets within a single TCP packet - it's just a -stream. +#### Connection setup +Dropbear implements `first_kex_packet_follows` to reduce handshake latency (rfc 4253 7.1)[https://www.rfc-editor.org/rfc/rfc4253.html#section-7.1]. Some less common implementations don't handle that - it can be a cause of problems connecting. Note also that Dropbear may send several ssh packets within a single TCP packet - it's just a stream. diff --git a/FUZZER-NOTES.md b/FUZZER-NOTES.md index 4967eba..078fbc5 100644 --- a/FUZZER-NOTES.md +++ b/FUZZER-NOTES.md @@ -1,77 +1,45 @@ -# Fuzzing Dropbear +## Fuzzing Dropbear -Dropbear is process-per-session so it assumes calling `dropbear_exit()` -is fine at any point to clean up. This makes fuzzing a bit trickier. -A few pieces of wrapping infrastructure are used to work around this. +Dropbear is process-per-session so it assumes calling `dropbear_exit()` is fine at any point to clean up. This makes fuzzing a bit trickier. A few pieces of wrapping infrastructure are used to work around this. -The [libfuzzer](http://llvm.org/docs/LibFuzzer.html#fuzz-target) harness -expects a long running process to continually run a test function with -a string of crafted input. That process should not leak resources or exit. +The [libfuzzer](http://llvm.org/docs/LibFuzzer.html#fuzz-target) harness expects a long running process to continually run a test function with a string of crafted input. That process should not leak resources or exit. -## longjmp +#### longjmp -When dropbear runs in fuzz mode it sets up a -[`setjmp()`](http://man7.org/linux/man-pages/man3/setjmp.3.html) target prior -to launching the code to be fuzzed, and then [`dropbear_exit()`](dbutil.c#L125) -calls `longjmp()` back there. This avoids exiting though it doesn't free -memory or other resources. +When dropbear runs in fuzz mode it sets up a [`setjmp()`](http://man7.org/linux/man-pages/man3/setjmp.3.html) target prior to launching the code to be fuzzed, and then [`dropbear_exit()`](./src/dbutil.c#L125) calls `longjmp()` back there. This avoids exiting though it doesn't free memory or other resources. -## malloc Wrapper +#### malloc Wrapper -Dropbear normally uses a [`m_malloc()`](dbmalloc.c) function that is the same as `malloc()` but -exits if allocation fails. In fuzzing mode this is replaced with a tracking allocator -that stores all allocations in a linked list. After the `longjmp()` occurs the fuzzer target -calls [`m_malloc_free_epoch(1, 1)`](dbmalloc.c) to clean up any unreleased memory. +Dropbear normally uses a [`m_malloc()`](./src/dbmalloc.c) function that is the same as `malloc()` but exits if allocation fails. In fuzzing mode this is replaced with a tracking allocator that stores all allocations in a linked list. After the `longjmp()` occurs the fuzzer target calls [`m_malloc_free_epoch(1, 1)`](./src/dbmalloc.c#L80) to clean up any unreleased memory. -If the fuzz target runs to completion it calls `m_malloc_free_epoch(1, 0)` which will reset -the tracked allocations but will not free memory - that allows libfuzzer's leak checking -to detect leaks in normal operation. +If the fuzz target runs to completion it calls `m_malloc_free_epoch(1, 0)` which will reset the tracked allocations but will not free memory - that allows libfuzzer's leak checking to detect leaks in normal operation. -## File Descriptor Input +#### File Descriptor Input -As a network process Dropbear reads and writes from a socket. The wrappers for -`read()`/`write()`/`select()` in [fuzz-wrapfd.c](fuzz-wrapfd.c) will read from the -fuzzer input that has been set up with `wrapfd_add()`. `write()` output is -currently discarded. -These also test error paths such as EINTR and short reads with certain probabilities. +As a network process Dropbear reads and writes from a socket. The wrappers for `read()`/`write()`/`select()` in [fuzz-wrapfd.c](./fuzz/fuzz-wrapfd.c) will read from the fuzzer input that has been set up with `wrapfd_add()`. `write()` output is currently discarded. These also test error paths such as EINTR and short reads with certain probabilities. -This allows running the entire dropbear server process with network input provided by the -fuzzer, without many modifications to the main code. At the time of writing this -only runs the pre-authentication stages, though post-authentication could be run similarly. +This allows running the entire dropbear server process with network input provided by the fuzzer, without many modifications to the main code. At the time of writing this only runs the pre-authentication stages, though post-authentication could be run similarly. -## Encryption and Randomness +#### Encryption and Randomness -When running in fuzzing mode Dropbear uses a [fixed seed](dbrandom.c#L185) -every time so that failures can be reproduced. +When running in fuzzing mode Dropbear uses a [fixed seed](./src/dbrandom.c#L185) every time so that failures can be reproduced. -Since the fuzzer cannot generate valid encrypted input the packet decryption and -message authentication calls are disabled, see [packet.c](packet.c). -MAC failures are set to occur with a low probability to test that error path. +Since the fuzzer cannot generate valid encrypted input the packet decryption and message authentication calls are disabled, see [packet.c](./src/packet.c). MAC failures are set to occur with a low probability to test that error path. -## Fuzzers +#### Fuzzers -Current fuzzers are +Current fuzzers are: -- [fuzzer-preauth](fuzzer-preauth.c) - the fuzzer input is treated as a stream of session input. This will - test key exchange, packet ordering, authentication attempts etc. +* [fuzzer-preauth](./fuzz/fuzzer-preauth.c) - the fuzzer input is treated as a stream of session input. This will test key exchange, packet ordering, authentication attempts etc. -- [fuzzer-preauth_nomaths](fuzzer-preauth_nomaths.c) - the same as fuzzer-preauth but with asymmetric crypto - routines replaced with dummies for faster runtime. corpora are shared - between fuzzers by [oss-fuzz](https://github.com/google/oss-fuzz) so this - will help fuzzer-preauth too. +* [fuzzer-preauth_nomaths](./fuzz/fuzzer-preauth_nomaths.c) - the same as fuzzer-preauth but with asymmetric crypto routines replaced with dummies for faster runtime. corpora are shared between fuzzers by [oss-fuzz](https://github.com/google/oss-fuzz) so this will help fuzzer-preauth too. -- [fuzzer-verify](fuzzer-verify.c) - read a key and signature from fuzzer input and verify that signature. - It would not be expected to pass, though some keys with bad parameters are - able to validate with a trivial signature - extra checks are added for that. +* [fuzzer-verify](./fuzz/fuzzer-verify.c) - read a key and signature from fuzzer input and verify that signature. It would not be expected to pass, though some keys with bad parameters are able to validate with a trivial signature - extra checks are added for that. -- [fuzzer-pubkey](fuzzer-pubkey.c) - test parsing of an `authorized_keys` line. +* [fuzzer-pubkey](./fuzz/fuzzer-pubkey.c) - test parsing of an `authorized_keys` line. -- [fuzzer-kexdh](fuzzer-kexdh.c) - test Diffie-Hellman key exchange where the fuzz input is the - ephemeral public key that would be received over the network. This is testing `mp_expt_mod()` - and and other libtommath routines. +* [fuzzer-kexdh](./fuzz/fuzzer-kexdh.c) - test Diffie-Hellman key exchange where the fuzz input is the ephemeral public key that would be received over the network. This is testing `mp_expt_mod()` and and other libtommath routines. -- [fuzzer-kexecdh](fuzzer-kexecdh.c) - test Elliptic Curve Diffie-Hellman key exchange like fuzzer-kexdh. - This is testing libtommath ECC routines. +* [fuzzer-kexecdh](./fuzz/fuzzer-kexecdh.c) - test Elliptic Curve Diffie-Hellman key exchange like fuzzer-kexdh. This is testing libtommath ECC routines. -- [fuzzer-kexcurve25519](fuzzer-kexcurve25519.c) - test Curve25519 Elliptic Curve Diffie-Hellman key exchange - like fuzzer-kexecdh. This is testing `dropbear_curve25519_scalarmult()` and other libtommath routines. +* [fuzzer-kexcurve25519](./fuzz/fuzzer-kexcurve25519.c) - test Curve25519 Elliptic Curve Diffie-Hellman key exchange like fuzzer-kexecdh. This is testing `dropbear_curve25519_scalarmult()` and other libtommath routines. diff --git a/INSTALL b/INSTALL deleted file mode 100644 index 60eb707..0000000 --- a/INSTALL +++ /dev/null @@ -1,93 +0,0 @@ -Basic Dropbear build instructions: - -- Edit localoptions.h to set which features you want. Available options - are described in default_options.h, these will be overridden by - anything set in localoptions.h - localoptions.h should be located in the build directory if you are - building out of tree. - -- Configure for your system: - ./configure (optionally with --disable-zlib or --disable-syslog, - or --help for other options) - - (you'll need to first run "autoconf; autoheader" if you edit configure.ac) - -- Compile: - - make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" - -- Optionally install, or copy the binaries another way - - make install (/usr/local/bin is usual default): - - or - - make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install - -(you can leave items out of the PROGRAMS list to avoid compiling them. If you -recompile after changing the PROGRAMS list, you *MUST* "make clean" before -recompiling - bad things will happen otherwise) - -DEVELOPING.md has some notes on other developer topics, including debugging. - -See MULTI for instructions on making all-in-one binaries. - -If you want to compile statically use ./configure --enable-static - -By default Dropbear adds various build flags that improve robustness -against programming bugs (good for security). If these cause problems -they can be disabled with ./configure --disable-harden - -Binaries can be stripped with "make strip" - -============================================================================ - -If you're compiling for a 386-class CPU, you will probably need to add -CFLAGS=-DLTC_NO_BSWAP so that libtomcrypt doesn't use 486+ instructions. - -============================================================================ - -Compiling with uClibc: - -Firstly, make sure you have at least uclibc 0.9.17, as getusershell() in prior -versions is broken. Also note that you may get strange issues if your uClibc -headers don't match the library you are running with, ie the headers might -say that shadow password support exists, but the libraries don't have it. - -Compiling for uClibc should be the same as normal, just set CC to the magic -uClibc toolchain compiler (ie export CC=i386-uclibc-gcc or whatever). -You can use "make STATIC=1" to make statically linked binaries, and it is -advisable to strip the binaries too. If you're looking to make a small binary, -you should remove unneeded ciphers and algorithms, by editing localoptions.h - -It is possible to compile zlib in, by copying zlib.h and zconf.h into a -subdirectory (ie zlibincludes), and - -export CFLAGS="-Izlibincludes -I../zlibincludes" -export LDFLAGS=/usr/lib/libz.a - -before ./configure and make. - -If you disable zlib, you must explicitly disable compression for the client - -OpenSSH is possibly buggy in this regard, it seems you need to disable it -globally in ~/.ssh/config, not just in the host entry in that file. - -You may want to manually disable lastlog recording when using uClibc, configure -with --disable-lastlog. - -One common problem is pty allocation. There are a number of types of pty -allocation which can be used -- if they work properly, the end result is the -same for each type. Running configure should detect the best type to use -automatically, however for some systems, this may be incorrect. Some -things to note: - - If your system expects /dev/pts to be mounted (this is a uClibc option), - make sure that it is. - - Make sure that your libc headers match the library version you are using. - - If openpty() is being used (HAVE_OPENPTY defined in config.h) and it fails, - you can try compiling with --disable-openpty. You will probably then need - to create all the /dev/pty?? and /dev/tty?? devices, which can be - problematic for devfs. In general, openpty() is the best way to allocate - PTYs, so it's best to try and get it working. diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 0000000..9dd65f9 --- /dev/null +++ b/INSTALL.md @@ -0,0 +1,82 @@ +## Basic Dropbear Build Instructions + +Edit [localoptions.h](./localoptions.h) to set which features you want. Available options are described in default_options.h, these will be overridden by anything set in [localoptions.h](./localoptions.h) should be located in the build directory if you are building out of tree. +Note that the file is not tracked ([*.gitignore*](.gitignore)-d) and you may need to create it. + +#### Configure for your system +``` +./configure +``` +Optionally with `--disable-zlib` or `--disable-syslog`. +Or `--help` for other options. + +You'll need to first run `autoconf; autoheader` if you edit `configure.ac`. + +#### Compile: + +``` +make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" +``` + +Optionally install, or copy the binaries another way: + +``` +make install +``` +`/usr/local/bin` is usual default. + +or + +``` +make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install +``` + +To test the installation targeting a temporary forder set `DESTDIR`: +``` +make install DESTDIR=/same/temp/location +``` + +You can leave items out of the `PROGRAMS` list to avoid compiling them. If you recompile after changing the `PROGRAMS` list, you **MUST** `make clean` before recompiling - bad things will happen otherwise. + +[DEVELOPING.md](DEVELOPING.md) has some notes on other developer topics, including debugging. + +See [MULTI.md](MULTI.md) for instructions on making all-in-one binaries. + +If you want to compile statically use +``` +./configure --enable-static +``` + +By default Dropbear adds various build flags that improve robustness against programming bugs (good for security). If these cause problems they can be disabled with `./configure --disable-harden`. + +Binaries can be stripped with `make strip`. + +> **Note** +> If you're compiling for a 386-class CPU, you will probably need to add CFLAGS=-DLTC_NO_BSWAP so that libtomcrypt doesn't use 486+ instructions. + +## Compiling with uClibc + +Firstly, make sure you have at least uclibc 0.9.17, as `getusershell()` in prior versions is broken. Also note that you may get strange issues if your uClibc headers don't match the library you are running with, ie the headers might say that shadow password support exists, but the libraries don't have it. + +Compiling for uClibc should be the same as normal, just set CC to the magic uClibc toolchain compiler (ie `export CC=i386-uclibc-gcc` or whatever). You can use `make STATIC=1` to make statically linked binaries, and it is advisable to strip the binaries too. If you're looking to make a small binary, you should remove unneeded ciphers and algorithms, by editing [localoptions.h](./localoptions.h). + +It is possible to compile zlib in, by copying zlib.h and zconf.h into a subdirectory (ie zlibincludes), and + +``` +export CFLAGS="-Izlibincludes -I../zlibincludes" +export LDFLAGS=/usr/lib/libz.a +``` +before `./configure` and `make`. + +If you disable zlib, you must explicitly disable compression for the client - OpenSSH is possibly buggy in this regard, it seems you need to disable it globally in *~/.ssh/config*, not just in the host entry in that file. + +You may want to manually disable lastlog recording when using uClibc, configure with `--disable-lastlog`. + +One common problem is pty allocation. There are a number of types of pty allocation which can be used -- if they work properly, the end result is the same for each type. Running configure should detect the best type to use automatically, however for some systems, this may be incorrect. Some +things to note: + +* If your system expects */dev/pts* to be mounted (this is a uClibc option), make sure that it is. + +* Make sure that your libc headers match the library version you are using. + +* If `openpty()` is being used (`HAVE_OPENPTY` defined in *config.h*) and it fails, you can try compiling with `--disable-openpty`. You will probably then need to create all the */dev/pty??* and */dev/tty??* devices, which can be problematic for devfs. In general, `openpty()` is the best way to allocate PTYs, so it's best to try and get it working. @@ -1,22 +0,0 @@ -Multi-binary compilation -======================== - -To compile for systems without much space (floppy distributions etc), you -can create a single binary. This will save disk space by avoiding repeated -code between the various parts. -If you are familiar with "busybox", it's the same principle. - -To compile the multi-binary, first "make clean" (if you've compiled -previously), then - -make PROGRAMS="programs you want here" MULTI=1 - -To use the binary, symlink it from the desired executable: - -ln -s dropbearmulti dropbear -ln -s dropbearmulti dbclient -etc - -then execute as normal: - -./dropbear <options here> diff --git a/MULTI.md b/MULTI.md new file mode 100644 index 0000000..01f9bc1 --- /dev/null +++ b/MULTI.md @@ -0,0 +1,23 @@ +## Multi-Binary Compilation + +To compile for systems without much space (floppy distributions etc), you can create a single binary. This will save disk space by avoiding repeated code between the various parts. If you are familiar with "busybox", it's the same principle. + +To compile the multi-binary, first `make clean` (if you've compiled previously), then + +``` +make PROGRAMS="programs you want here" MULTI=1 +``` + +To use the binary, symlink it from the desired executable: + +``` +ln -s dropbearmulti dropbear +ln -s dropbearmulti dbclient +``` +etc. + +Then execute as normal: + +``` +./dropbear <options here> +``` diff --git a/Makefile.in b/Makefile.in index e824491..842a01a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -12,25 +12,31 @@ ifndef PROGRAMS PROGRAMS=dropbear dbclient dropbearkey dropbearconvert endif +srcdir=./src +VPATH=$(srcdir) + STATIC_LTC=libtomcrypt/libtomcrypt.a STATIC_LTM=libtommath/libtommath.a LIBTOM_LIBS=@LIBTOM_LIBS@ ifeq (@BUNDLED_LIBTOM@, 1) -LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) -LIBTOM_CLEAN=ltc-clean ltm-clean -CPPFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ -LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) + LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) + LIBTOM_CLEAN=ltc-clean ltm-clean + CPPFLAGS+=-I./libtomcrypt/src/headers/ -I./libtommath + LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) endif -OPTION_HEADERS = default_options_guard.h sysoptions.h -ifneq ($(wildcard localoptions.h),) -CPPFLAGS+=-DLOCALOPTIONS_H_EXISTS -OPTION_HEADERS += localoptions.h +OPTION_HEADERS = default_options_guard.h $(srcdir)/sysoptions.h +ifneq ($(wildcard ./localoptions.h),) + CPPFLAGS+=-DLOCALOPTIONS_H_EXISTS + OPTION_HEADERS += ./localoptions.h endif -COMMONOBJS=dbutil.o buffer.o dbhelpers.o \ +OBJ_DIR=./obj +MAN_DIR=./manpages + +_COMMONOBJS=dbutil.o buffer.o dbhelpers.o \ dss.o bignum.o \ signkey.o rsa.o dbrandom.o \ queue.o \ @@ -39,32 +45,39 @@ COMMONOBJS=dbutil.o buffer.o dbhelpers.o \ curve25519.o ed25519.o sk-ed25519.o \ dbmalloc.o \ gensignkey.o gendss.o genrsa.o gened25519.o +COMMONOBJS = $(patsubst %,$(OBJ_DIR)/%,$(_COMMONOBJS)) -SVROBJS=svr-kex.o svr-auth.o sshpty.o \ +_SVROBJS=svr-kex.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ svr-tcpfwd.o svr-authpam.o +SVROBJS = $(patsubst %,$(OBJ_DIR)/%,$(_SVROBJS)) -CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ +_CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-runopts.o cli-chansession.o \ cli-authpubkey.o cli-tcpfwd.o cli-channel.o cli-authinteract.o \ - cli-agentfwd.o + cli-agentfwd.o +CLIOBJS = $(patsubst %,$(OBJ_DIR)/%,$(_CLIOBJS)) -CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ - common-channel.o common-chansession.o termcodes.o loginrec.o \ - tcp-accept.o listener.o process-packet.o dh_groups.o \ - common-runopts.o circbuffer.o list.o netio.o chachapoly.o gcm.o +_CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ + common-channel.o common-chansession.o termcodes.o loginrec.o \ + tcp-accept.o listener.o process-packet.o dh_groups.o \ + common-runopts.o circbuffer.o list.o netio.o chachapoly.o gcm.o +CLISVROBJS = $(patsubst %,$(OBJ_DIR)/%,$(_CLISVROBJS)) -KEYOBJS=dropbearkey.o +_KEYOBJS=dropbearkey.o +KEYOBJS = $(patsubst %,$(OBJ_DIR)/%,$(_KEYOBJS)) -CONVERTOBJS=dropbearconvert.o keyimport.o signkey_ossh.o +_CONVERTOBJS=dropbearconvert.o keyimport.o signkey_ossh.o +CONVERTOBJS = $(patsubst %,$(OBJ_DIR)/%,$(_CONVERTOBJS)) -SCPOBJS=scp.o progressmeter.o atomicio.o scpmisc.o compat.o +_SCPOBJS=scp.o progressmeter.o atomicio.o scpmisc.o compat.o +SCPOBJS = $(patsubst %,$(OBJ_DIR)/%,$(_SCPOBJS)) ifeq (@DROPBEAR_FUZZ@, 1) allobjs = $(COMMONOBJS) fuzz/fuzz-common.o fuzz/fuzz-wrapfd.o $(CLISVROBJS) $(CLIOBJS) $(SVROBJS) @CRYPTLIB@ - allobjs:=$(subst svr-main.o, ,$(allobjs)) - allobjs:=$(subst cli-main.o, ,$(allobjs)) + allobjs:=$(subst $(OBJ_DIR)/svr-main.o, ,$(allobjs)) + allobjs:=$(subst $(OBJ_DIR)/cli-main.o, ,$(allobjs)) dropbearobjs=$(allobjs) svr-main.o dbclientobjs=$(allobjs) cli-main.o @@ -82,17 +95,14 @@ else endif ifeq (@DROPBEAR_PLUGIN@, 1) - # rdynamic makes all the global symbols of dropbear available to all the loaded shared libraries - # this allow a plugin to reuse existing crypto/utilities like base64_decode/base64_encode without - # the need to rewrite them. - PLUGIN_LIBS=-ldl -rdynamic + # rdynamic makes all the global symbols of dropbear available to all the loaded shared libraries + # this allow a plugin to reuse existing crypto/utilities like base64_decode/base64_encode without + # the need to rewrite them. + PLUGIN_LIBS=-ldl -rdynamic else - PLUGIN_LIBS= + PLUGIN_LIBS= endif -VPATH=@srcdir@ -srcdir=@srcdir@ - prefix=@prefix@ exec_prefix=@exec_prefix@ datarootdir = @datarootdir@ @@ -150,14 +160,20 @@ all: $(TARGETS) # for simplicity assume all source depends on all headers HEADERS=$(wildcard $(srcdir)/*.h *.h) $(OPTION_HEADERS) -%.o : %.c $(HEADERS) + +$(OBJ_DIR): + mkdir -p $@ + +$(OBJ_DIR)/%.o: $(srcdir)/%.c $(HEADERS) | $(OBJ_DIR) $(CC) -c $(CFLAGS) $(CPPFLAGS) $< -o $@ default_options_guard.h: default_options.h @echo Creating $@ @printf "/*\n > > > Do not edit this file (default_options_guard.h) < < <\nGenerated from "$^"\nLocal customisation goes in localoptions.h\n*/\n\n" > $@.tmp - @$(srcdir)/ifndef_wrapper.sh < $^ >> $@.tmp + @./ifndef_wrapper.sh < $^ >> $@.tmp @mv $@.tmp $@ + @pwd + @ls -l $@ strip: $(TARGETS) $(STRIP) $(addsuffix $(EXEEXT), $(TARGETS)) @@ -167,31 +183,31 @@ install: $(addprefix inst_, $(TARGETS)) insmultidropbear: dropbearmulti$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(sbindir) -rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) - -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) + -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man8 - $(INSTALL) -m 644 $(srcdir)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 + $(INSTALL) -m 644 $(MAN_DIR)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 insmulti%: dropbearmulti$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(bindir) - -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) - -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) + -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man1 - if test -e $(srcdir)/$*.1; then $(INSTALL) -m 644 $(srcdir)/$*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi + if test -e $(MAN_DIR)/$*.1; then $(INSTALL) -m 644 $(MAN_DIR)/$*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi # dropbear should go in sbin, so it needs a separate rule inst_dropbear: dropbear $(INSTALL) -d $(DESTDIR)$(sbindir) $(INSTALL) dropbear$(EXEEXT) $(DESTDIR)$(sbindir) $(INSTALL) -d $(DESTDIR)$(mandir)/man8 - $(INSTALL) -m 644 $(srcdir)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 + $(INSTALL) -m 644 $(MAN_DIR)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 inst_%: % $(INSTALL) -d $(DESTDIR)$(bindir) $(INSTALL) $*$(EXEEXT) $(DESTDIR)$(bindir) $(INSTALL) -d $(DESTDIR)$(mandir)/man1 - if test -e $(srcdir)/$*.1; then $(INSTALL) -m 644 $(srcdir)/$*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi + if test -e $(MAN_DIR)/$*.1; then $(INSTALL) -m 644 $(MAN_DIR)/$*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi -inst_dropbearmulti: $(addprefix insmulti, $(PROGRAMS)) +inst_dropbearmulti: $(addprefix insmulti, $(PROGRAMS)) # for some reason the rule further down doesn't like $($@objs) as a prereq. dropbear: $(dropbearobjs) @@ -216,7 +232,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile # multi-binary compilation. MULTIOBJS= ifeq ($(MULTI),1) - MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) + MULTIOBJS=$(OBJ_DIR)/dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) CPPFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI endif @@ -253,7 +269,8 @@ clean: $(LIBTOM_CLEAN) $(FUZZ_CLEAN) thisclean thisclean: -rm -f dropbear$(EXEEXT) dbclient$(EXEEXT) dropbearkey$(EXEEXT) \ dropbearconvert$(EXEEXT) scp$(EXEEXT) scp-progress$(EXEEXT) \ - dropbearmulti$(EXEEXT) *.o *.da *.bb *.bbg *.prof + dropbearmulti$(EXEEXT) *.o *.da *.bb *.bbg *.prof \ + $(OBJ_DIR)/* distclean: clean tidy -rm -f config.h @@ -288,13 +305,13 @@ fuzzstandalone: FUZZLIB=fuzz/fuzz-harness.o fuzzstandalone: fuzz/fuzz-harness.o fuzz-targets # Build all the fuzzers. Usually like -# make fuzz-targets FUZZLIB=-lFuzzer.a +# make fuzz-targets FUZZLIB=-lFuzzer.a # the library provides main(). Otherwise # make fuzzstandalone # provides a main in fuzz-harness.c fuzz-targets: $(FUZZ_TARGETS) $(FUZZER_OPTIONS) -$(FUZZ_TARGETS): $(FUZZ_OBJS) $(allobjs) $(LIBTOM_DEPS) +$(FUZZ_TARGETS): $(LIBTOM_DEPS) $(allobjs) $(FUZZ_OBJS) $(CXX) $(CXXFLAGS) fuzz/$@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ # fuzzers that use the custom mutator - these expect a SSH network stream @@ -311,7 +328,7 @@ fuzzer-%.options: Makefile echo "[libfuzzer]" > $@ echo "max_len = 50000" >> $@ -# run this to update hardcoded hostkeys for for fuzzing. +# run this to update hardcoded hostkeys for for fuzzing. # hostkeys.c is checked in to hg. fuzz-hostkeys: dropbearkey -t rsa -f keyr @@ -1,81 +0,0 @@ -This is Dropbear, a smallish SSH server and client. -https://matt.ucc.asn.au/dropbear/dropbear.html - -INSTALL has compilation instructions. - -MULTI has instructions on making a multi-purpose binary (ie a single binary -which performs multiple tasks, to save disk space) - -SMALL has some tips on creating small binaries. - -A mirror of the Dropbear website and tarballs is available at https://dropbear.nl/mirror/ - -Please contact me if you have any questions/bugs found/features/ideas/comments etc :) -There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear - -Matt Johnston -matt@ucc.asn.au - - -In the absence of detailed documentation, some notes follow: -============================================================================ - -Server public key auth: - -You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put -the key entries in that file. They should be of the form: - -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname - -You must make sure that ~/.ssh, and the key file, are only writable by the -user. Beware of editors that split the key into multiple lines. - -Dropbear supports some options for authorized_keys entries, see the manpage. - -============================================================================ - -Client public key auth: - -Dropbear can do public key auth as a client, but you will have to convert -OpenSSH style keys to Dropbear format, or use dropbearkey to create them. - -If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do: - -dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db -dbclient -i ~/.ssh/id_rsa.db <hostname> - -Dropbear does not support encrypted hostkeys though can connect to ssh-agent. - -============================================================================ - -If you want to get the public-key portion of a Dropbear private key, look at -dropbearkey's '-y' option. - -============================================================================ - -To run the server, you need to generate server keys, this is one-off: -./dropbearkey -t rsa -f dropbear_rsa_host_key -./dropbearkey -t dss -f dropbear_dss_host_key -./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key -./dropbearkey -t ed25519 -f dropbear_ed25519_host_key - -or alternatively convert OpenSSH keys to Dropbear: -./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key - -You can also get Dropbear to create keys when the first connection is made - -this is preferable to generating keys when the system boots. Make sure -/etc/dropbear/ exists and then pass '-R' to the dropbear server. - -============================================================================ - -If the server is run as non-root, you most likely won't be able to allocate a -pty, and you cannot login as any user other than that running the daemon -(obviously). Shadow passwords will also be unusable as non-root. - -============================================================================ - -The Dropbear distribution includes a standalone version of OpenSSH's scp -program. You can compile it with "make scp", you may want to change the path -of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default -the progress meter isn't compiled in to save space, you can enable it by -adding 'SCPPROGRESS=1' to the make commandline. diff --git a/README.md b/README.md new file mode 100644 index 0000000..4b3f23e --- /dev/null +++ b/README.md @@ -0,0 +1,74 @@ +## Dropbear SSH +A smallish SSH server and client +https://matt.ucc.asn.au/dropbear/dropbear.html + +[INSTALL.md](INSTALL.md) has compilation instructions. + +[MULTI.md](MULTI.md) has instructions on making a multi-purpose binary (ie a single binary which performs multiple tasks, to save disk space). + +[SMALL.md](SMALL.md) has some tips on creating small binaries. + +A mirror of the Dropbear website and tarballs is available at https://dropbear.nl/mirror/. + +Please contact me if you have any questions/bugs found/features/ideas/comments etc :). There is also a mailing list at http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear + +Matt Johnston +matt@ucc.asn.au + + +### In the absence of detailed documentation, some notes follow + +---- +#### Server public key auth + +You can use *~/.ssh/authorized_keys* in the same way as with OpenSSH, just put the key entries in that file. They should be of the form: + +``` +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0NkyU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname +``` + +You must make sure that *~/.ssh*, and the key file, are only writable by the user. Beware of editors that split the key into multiple lines. + +Dropbear supports some options for authorized_keys entries, see the manpage. + +---- +#### Client public key auth + +Dropbear can do public key auth as a client, but you will have to convert OpenSSH style keys to Dropbear format, or use dropbearkey to create them. + +If you have an OpenSSH-style private key *~/.ssh/id_rsa*, you need to do: + +``` +dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db +dbclient -i ~/.ssh/id_rsa.db <hostname> +``` + +Dropbear does not support encrypted hostkeys though can connect to ssh-agent. + +---- +If you want to get the public-key portion of a Dropbear private key, look at dropbearkey's `-y` option. + +---- +To run the server, you need to generate server keys, this is one-off: + +``` +./dropbearkey -t rsa -f dropbear_rsa_host_key +./dropbearkey -t dss -f dropbear_dss_host_key +./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key +./dropbearkey -t ed25519 -f dropbear_ed25519_host_key +``` + +Or alternatively convert OpenSSH keys to Dropbear: + +``` +./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key +``` + +You can also get Dropbear to create keys when the first connection is made - this is preferable to generating keys when the system boots. Make sure */etc/dropbear/* exists and then pass `-R` to the dropbear server. + +---- +If the server is run as non-root, you most likely won't be able to allocate a pty, and you cannot login as any user other than that running the daemon (obviously). Shadow passwords will also be unusable as non-root. + +---- +The Dropbear distribution includes a standalone version of OpenSSH's `scp` program. You can compile it with `make scp`. You may want to change the path of the ssh binary, specified by `_PATH_SSH_PROGRAM` in *options.h*. By default +the progress meter isn't compiled in to save space, you can enable it by adding `SCPPROGRESS=1` to the `make` commandline. @@ -1,56 +0,0 @@ -Tips for a small system: - -If you only want server functionality (for example), compile with - make PROGRAMS=dropbear -rather than just - make dropbear -so that client functionality in shared portions of Dropbear won't be included. -The same applies if you are compiling just a client. - ---- - -The following are set in localoptions.h: - - - If you're compiling statically, you can turn off host lookups - - - You can disable either password or public-key authentication, though note - that the IETF draft states that pubkey authentication is required. - - - Similarly with DSS and RSA, you can disable one of these if you know that - all clients will be able to support a particular one. The IETF draft - states that DSS is required, however you may prefer to use RSA. - DON'T disable either of these on systems where you aren't 100% sure about - who will be connecting and what clients they will be using. - - - Disabling the MOTD code and SFTP-SERVER may save a small amount of codesize - - - You can disable x11, tcp and agent forwarding as desired. None of these are - essential, although agent-forwarding is often useful even on firewall boxes. - ---- - -If you are compiling statically, you may want to disable zlib, as it will use -a few tens of kB of binary-size (./configure --disable-zlib). - -You can create a combined binary, see the file MULTI, which will put all -the functions into one binary, avoiding repeated code. - -If you're compiling with gcc, you might want to look at gcc's options for -stripping unused code. The relevant vars to set before configure are: - -LDFLAGS=-Wl,--gc-sections -CFLAGS="-ffunction-sections -fdata-sections" - -You can also experiment with optimisation flags such as -Os, note that in some -cases these flags actually seem to increase size, so experiment before -deciding. - -Of course using small C libraries such as uClibc and dietlibc can also help. - ---- - -Libtommath has its own default CFLAGS to improve speed. You can use -./configure LTM_CFLAGS=-Os -to reduce size at the expense of speed. - -If you have any queries, mail me and I'll see if I can help. diff --git a/SMALL.md b/SMALL.md new file mode 100644 index 0000000..742ac7e --- /dev/null +++ b/SMALL.md @@ -0,0 +1,59 @@ +## Tips for a small system + +If you only want server functionality (for example), compile with + +``` +make PROGRAMS=dropbear +``` + +rather than just + +``` +make dropbear +``` + +so that client functionality in shared portions of Dropbear won't be included. The same applies if you are compiling just a client. + +--- +The following are set in *localoptions.h*: + +* If you're compiling statically, you can turn off host lookups. + +* You can disable either password or public-key authentication, though note that the IETF draft states that pubkey authentication is required. + +* Similarly with DSS and RSA, you can disable one of these if you know that all clients will be able to support a particular one. The IETF draft states that DSS is required, however you may prefer to use RSA. **DON'T** disable either of these on systems where you aren't 100% sure about who will be connecting and what clients they will be using. + +* Disabling the `MOTD` code and `SFTP-SERVER` may save a small amount of codesize. + +* You can disable x11, tcp and agent forwarding as desired. None of these are essential, although agent-forwarding is often useful even on firewall boxes. + +--- +If you are compiling statically, you may want to disable zlib, as it will use a few tens of kB of binary-size +``` +./configure --disable-zlib +``` + +You can create a combined binary, see the file [MULTI.md](MULTI.md), which will put all the functions into one binary, avoiding repeated code. + +If you're compiling with gcc, you might want to look at gcc's options for stripping unused code. The relevant vars to set before configure are: + +``` +LDFLAGS=-Wl,--gc-sections +CFLAGS="-ffunction-sections -fdata-sections" +``` + +You can also experiment with optimisation flags such as `-Os`. Note that in some cases these flags actually seem to increase size, so experiment before +deciding. + +Of course using small C libraries such as uClibc and dietlibc can also help. + +--- +Libtommath has its own default `CFLAGS` to improve speed. You can use + +``` +./configure LTM_CFLAGS=-Os +``` + +to reduce size at the expense of speed. + +If you have any queries, mail me and I'll see if I can help. @@ -613,7 +613,6 @@ PACKAGE_STRING='' PACKAGE_BUGREPORT='' PACKAGE_URL='' -ac_unique_file="buffer.c" # Factoring default headers for most tests. ac_includes_default="\ #include <stddef.h> @@ -2974,7 +2973,6 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu - # Record which revision is being built if test -s "`which hg`" && test -d "$srcdir/.hg"; then hgrev=`hg id -i -R "$srcdir"` diff --git a/configure.ac b/configure.ac index a4f8f94..d82818a 100644 --- a/configure.ac +++ b/configure.ac @@ -7,7 +7,6 @@ AC_PREREQ([2.59]) AC_INIT -AC_CONFIG_SRCDIR(buffer.c) # Record which revision is being built if test -s "`which hg`" && test -d "$srcdir/.hg"; then diff --git a/libtomcrypt/Makefile.in b/libtomcrypt/Makefile.in index d5c1f2f..15777d2 100644 --- a/libtomcrypt/Makefile.in +++ b/libtomcrypt/Makefile.in @@ -42,7 +42,7 @@ ARFLAGS = r EXTRALIBS = ../libtommath/libtommath.a #Compilation flags -LTC_CFLAGS = -Isrc/headers/ -I$(srcdir)/src/headers/ -I../ -I$(srcdir)/../ -DLTC_SOURCE -I../libtommath/ -I$(srcdir)/../libtommath/ $(CFLAGS) $(CPPFLAGS) +LTC_CFLAGS = -Isrc/headers/ -I$(srcdir)/src/headers/ -I$(srcdir)/.. -I$(srcdir)/../src -DLTC_SOURCE -I../libtommath/ -I$(srcdir)/../libtommath/ $(CFLAGS) $(CPPFLAGS) LTC_LDFLAGS = $(LDFLAGS) $(EXTRALIBS) VERSION=1.18.1 diff --git a/libtommath/Makefile.in b/libtommath/Makefile.in index f1cb59c..d44fc38 100644 --- a/libtommath/Makefile.in +++ b/libtommath/Makefile.in @@ -6,7 +6,7 @@ VPATH=@srcdir@ srcdir=@srcdir@ # So that libtommath can include Dropbear headers for options and m_burn() -CFLAGS += -I$(srcdir) -I../libtomcrypt/src/headers/ -I$(srcdir)/../libtomcrypt/src/headers/ -I../ -I$(srcdir)/../ +CFLAGS += -I$(srcdir) -I../libtomcrypt/src/headers/ -I$(srcdir)/../libtomcrypt/src/headers/ -I$(srcdir)/.. -I$(srcdir)/../src CFLAGS += -Wno-deprecated CFLAGS += $(CPPFLAGS) diff --git a/dbclient.1 b/manpages/dbclient.1 index 8a916dc..8a916dc 100644 --- a/dbclient.1 +++ b/manpages/dbclient.1 diff --git a/dropbear.8 b/manpages/dropbear.8 index d9bbfc2..d9bbfc2 100644 --- a/dropbear.8 +++ b/manpages/dropbear.8 diff --git a/dropbearconvert.1 b/manpages/dropbearconvert.1 index 42f6c1b..42f6c1b 100644 --- a/dropbearconvert.1 +++ b/manpages/dropbearconvert.1 diff --git a/dropbearkey.1 b/manpages/dropbearkey.1 index d6860ea..d6860ea 100644 --- a/dropbearkey.1 +++ b/manpages/dropbearkey.1 diff --git a/agentfwd.h b/src/agentfwd.h index d913aea..d913aea 100644 --- a/agentfwd.h +++ b/src/agentfwd.h diff --git a/atomicio.c b/src/atomicio.c index 2aacf51..2aacf51 100644 --- a/atomicio.c +++ b/src/atomicio.c diff --git a/atomicio.h b/src/atomicio.h index 0bd019f..0bd019f 100644 --- a/atomicio.h +++ b/src/atomicio.h diff --git a/chachapoly.c b/src/chachapoly.c index c065fac..c065fac 100644 --- a/chachapoly.c +++ b/src/chachapoly.c diff --git a/chachapoly.h b/src/chachapoly.h index 5a7c5b2..5a7c5b2 100644 --- a/chachapoly.h +++ b/src/chachapoly.h diff --git a/channel.h b/src/channel.h index dd174aa..dd174aa 100644 --- a/channel.h +++ b/src/channel.h diff --git a/chansession.h b/src/chansession.h index cf4fba3..cf4fba3 100644 --- a/chansession.h +++ b/src/chansession.h diff --git a/circbuffer.c b/src/circbuffer.c index aabd9dc..aabd9dc 100644 --- a/circbuffer.c +++ b/src/circbuffer.c diff --git a/circbuffer.h b/src/circbuffer.h index 5aaa762..5aaa762 100644 --- a/circbuffer.h +++ b/src/circbuffer.h diff --git a/cli-agentfwd.c b/src/cli-agentfwd.c index 6fb5c4b..6fb5c4b 100644 --- a/cli-agentfwd.c +++ b/src/cli-agentfwd.c diff --git a/cli-auth.c b/src/cli-auth.c index 20d6371..20d6371 100644 --- a/cli-auth.c +++ b/src/cli-auth.c diff --git a/cli-authinteract.c b/src/cli-authinteract.c index 6d2fad7..6d2fad7 100644 --- a/cli-authinteract.c +++ b/src/cli-authinteract.c diff --git a/cli-authpasswd.c b/src/cli-authpasswd.c index 91790ce..91790ce 100644 --- a/cli-authpasswd.c +++ b/src/cli-authpasswd.c diff --git a/cli-authpubkey.c b/src/cli-authpubkey.c index 975d3bd..975d3bd 100644 --- a/cli-authpubkey.c +++ b/src/cli-authpubkey.c diff --git a/cli-channel.c b/src/cli-channel.c index b88e913..b88e913 100644 --- a/cli-channel.c +++ b/src/cli-channel.c diff --git a/cli-chansession.c b/src/cli-chansession.c index 73bee17..73bee17 100644 --- a/cli-chansession.c +++ b/src/cli-chansession.c diff --git a/cli-kex.c b/src/cli-kex.c index 6cb75c2..6cb75c2 100644 --- a/cli-kex.c +++ b/src/cli-kex.c diff --git a/cli-main.c b/src/cli-main.c index 065fd76..065fd76 100644 --- a/cli-main.c +++ b/src/cli-main.c diff --git a/cli-runopts.c b/src/cli-runopts.c index 38a73f7..38a73f7 100644 --- a/cli-runopts.c +++ b/src/cli-runopts.c diff --git a/cli-session.c b/src/cli-session.c index 5981b24..5981b24 100644 --- a/cli-session.c +++ b/src/cli-session.c diff --git a/cli-tcpfwd.c b/src/cli-tcpfwd.c index 1b95615..1b95615 100644 --- a/cli-tcpfwd.c +++ b/src/cli-tcpfwd.c diff --git a/common-algo.c b/src/common-algo.c index 378f0ca..378f0ca 100644 --- a/common-algo.c +++ b/src/common-algo.c diff --git a/common-channel.c b/src/common-channel.c index be5b57f..be5b57f 100644 --- a/common-channel.c +++ b/src/common-channel.c diff --git a/common-chansession.c b/src/common-chansession.c index b350c6c..b350c6c 100644 --- a/common-chansession.c +++ b/src/common-chansession.c diff --git a/common-kex.c b/src/common-kex.c index ac88442..ac88442 100644 --- a/common-kex.c +++ b/src/common-kex.c diff --git a/common-runopts.c b/src/common-runopts.c index e9ad314..e9ad314 100644 --- a/common-runopts.c +++ b/src/common-runopts.c diff --git a/common-session.c b/src/common-session.c index 6991f57..6991f57 100644 --- a/common-session.c +++ b/src/common-session.c diff --git a/crypto_desc.c b/src/crypto_desc.c index d0dcc82..d0dcc82 100644 --- a/crypto_desc.c +++ b/src/crypto_desc.c diff --git a/crypto_desc.h b/src/crypto_desc.h index 08a75d9..08a75d9 100644 --- a/crypto_desc.h +++ b/src/crypto_desc.h diff --git a/curve25519.c b/src/curve25519.c index 51e0e76..51e0e76 100644 --- a/curve25519.c +++ b/src/curve25519.c diff --git a/curve25519.h b/src/curve25519.h index 55ef043..55ef043 100644 --- a/curve25519.h +++ b/src/curve25519.h diff --git a/dbhelpers.c b/src/dbhelpers.c index ce5c379..ce5c379 100644 --- a/dbhelpers.c +++ b/src/dbhelpers.c diff --git a/dbhelpers.h b/src/dbhelpers.h index 551bcb4..551bcb4 100644 --- a/dbhelpers.h +++ b/src/dbhelpers.h diff --git a/dbmalloc.c b/src/dbmalloc.c index e2cdc8f..e2cdc8f 100644 --- a/dbmalloc.c +++ b/src/dbmalloc.c diff --git a/dbmalloc.h b/src/dbmalloc.h index e5554e8..e5554e8 100644 --- a/dbmalloc.h +++ b/src/dbmalloc.h diff --git a/dbmulti.c b/src/dbmulti.c index 28ee959..28ee959 100644 --- a/dbmulti.c +++ b/src/dbmulti.c diff --git a/dbrandom.c b/src/dbrandom.c index 41aaa48..41aaa48 100644 --- a/dbrandom.c +++ b/src/dbrandom.c diff --git a/dbrandom.h b/src/dbrandom.h index 1db2c2f..1db2c2f 100644 --- a/dbrandom.h +++ b/src/dbrandom.h diff --git a/dh_groups.c b/src/dh_groups.c index 920f3f6..920f3f6 100644 --- a/dh_groups.c +++ b/src/dh_groups.c diff --git a/dh_groups.h b/src/dh_groups.h index c995937..c995937 100644 --- a/dh_groups.h +++ b/src/dh_groups.h diff --git a/dropbear_lint.sh b/src/dropbear_lint.sh index 4e8d33b..4e8d33b 100755 --- a/dropbear_lint.sh +++ b/src/dropbear_lint.sh diff --git a/dropbearconvert.c b/src/dropbearconvert.c index 950608b..950608b 100644 --- a/dropbearconvert.c +++ b/src/dropbearconvert.c diff --git a/dropbearkey.c b/src/dropbearkey.c index bd9c6af..bd9c6af 100644 --- a/dropbearkey.c +++ b/src/dropbearkey.c diff --git a/ed25519.c b/src/ed25519.c index f200e13..f200e13 100644 --- a/ed25519.c +++ b/src/ed25519.c diff --git a/ed25519.h b/src/ed25519.h index 1da9fbd..1da9fbd 100644 --- a/ed25519.h +++ b/src/ed25519.h diff --git a/fake-rfc2553.c b/src/fake-rfc2553.c index 395cfcc..395cfcc 100644 --- a/fake-rfc2553.c +++ b/src/fake-rfc2553.c diff --git a/fake-rfc2553.h b/src/fake-rfc2553.h index c64136c..c64136c 100644 --- a/fake-rfc2553.h +++ b/src/fake-rfc2553.h diff --git a/filelist.txt b/src/filelist.txt index 3b9bb67..3b9bb67 100644 --- a/filelist.txt +++ b/src/filelist.txt diff --git a/fuzz-wrapfd.h b/src/fuzz-wrapfd.h index d0dea88..d0dea88 100644 --- a/fuzz-wrapfd.h +++ b/src/fuzz-wrapfd.h diff --git a/gened25519.c b/src/gened25519.c index a027914..a027914 100644 --- a/gened25519.c +++ b/src/gened25519.c diff --git a/gened25519.h b/src/gened25519.h index 8058310..8058310 100644 --- a/gened25519.h +++ b/src/gened25519.h diff --git a/gensignkey.c b/src/gensignkey.c index cfe0a80..cfe0a80 100644 --- a/gensignkey.c +++ b/src/gensignkey.c diff --git a/gensignkey.h b/src/gensignkey.h index 73b9c3c..73b9c3c 100644 --- a/gensignkey.h +++ b/src/gensignkey.h diff --git a/includes.h b/src/includes.h index 1e00002..98d35de 100644 --- a/includes.h +++ b/src/includes.h @@ -132,8 +132,8 @@ #endif #ifdef BUNDLED_LIBTOM -#include "libtomcrypt/src/headers/tomcrypt.h" -#include "libtommath/tommath.h" +#include "../libtomcrypt/src/headers/tomcrypt.h" +#include "../libtommath/tommath.h" #else #include <tomcrypt.h> #include <tommath.h> diff --git a/keyimport.c b/src/keyimport.c index e88ef46..e88ef46 100644 --- a/keyimport.c +++ b/src/keyimport.c diff --git a/keyimport.h b/src/keyimport.h index b566fc9..b566fc9 100644 --- a/keyimport.h +++ b/src/keyimport.h diff --git a/listener.c b/src/listener.c index 4c60589..4c60589 100644 --- a/listener.c +++ b/src/listener.c diff --git a/listener.h b/src/listener.h index 4a7f5ff..4a7f5ff 100644 --- a/listener.h +++ b/src/listener.h diff --git a/loginrec.c b/src/loginrec.c index b543bcb..b543bcb 100644 --- a/loginrec.c +++ b/src/loginrec.c diff --git a/loginrec.h b/src/loginrec.h index 6abde48..6abde48 100644 --- a/loginrec.h +++ b/src/loginrec.h diff --git a/ltc_prng.c b/src/ltc_prng.c index 4f2e9e1..4f2e9e1 100644 --- a/ltc_prng.c +++ b/src/ltc_prng.c diff --git a/ltc_prng.h b/src/ltc_prng.h index 6bc8273..6bc8273 100644 --- a/ltc_prng.h +++ b/src/ltc_prng.h diff --git a/options.h b/src/options.h index c12cfc9..c12cfc9 100644 --- a/options.h +++ b/src/options.h diff --git a/process-packet.c b/src/process-packet.c index 9454160..9454160 100644 --- a/process-packet.c +++ b/src/process-packet.c diff --git a/progressmeter.c b/src/progressmeter.c index 2038fd3..2038fd3 100644 --- a/progressmeter.c +++ b/src/progressmeter.c diff --git a/progressmeter.h b/src/progressmeter.h index bfb9a0b..bfb9a0b 100644 --- a/progressmeter.h +++ b/src/progressmeter.h diff --git a/pubkeyapi.h b/src/pubkeyapi.h index 21b1f24..21b1f24 100644 --- a/pubkeyapi.h +++ b/src/pubkeyapi.h diff --git a/runopts.h b/src/runopts.h index d44283d..d44283d 100644 --- a/runopts.h +++ b/src/runopts.h diff --git a/scpmisc.c b/src/scpmisc.c index c2f053e..c2f053e 100644 --- a/scpmisc.c +++ b/src/scpmisc.c diff --git a/scpmisc.h b/src/scpmisc.h index 369b327..369b327 100644 --- a/scpmisc.h +++ b/src/scpmisc.h diff --git a/service.h b/src/service.h index eaa7ff6..eaa7ff6 100644 --- a/service.h +++ b/src/service.h diff --git a/session.h b/src/session.h index 6706592..6706592 100644 --- a/session.h +++ b/src/session.h diff --git a/signkey.c b/src/signkey.c index 0aacddb..0aacddb 100644 --- a/signkey.c +++ b/src/signkey.c diff --git a/signkey.h b/src/signkey.h index c6829f2..c6829f2 100644 --- a/signkey.h +++ b/src/signkey.h diff --git a/signkey_ossh.c b/src/signkey_ossh.c index 59b44ad..59b44ad 100644 --- a/signkey_ossh.c +++ b/src/signkey_ossh.c diff --git a/signkey_ossh.h b/src/signkey_ossh.h index 080372c..080372c 100644 --- a/signkey_ossh.h +++ b/src/signkey_ossh.h diff --git a/sk-ecdsa.c b/src/sk-ecdsa.c index bed7e50..bed7e50 100644 --- a/sk-ecdsa.c +++ b/src/sk-ecdsa.c diff --git a/sk-ecdsa.h b/src/sk-ecdsa.h index e883bf8..e883bf8 100644 --- a/sk-ecdsa.h +++ b/src/sk-ecdsa.h diff --git a/sk-ed25519.c b/src/sk-ed25519.c index b4827e3..b4827e3 100644 --- a/sk-ed25519.c +++ b/src/sk-ed25519.c diff --git a/sk-ed25519.h b/src/sk-ed25519.h index 74ab7c8..74ab7c8 100644 --- a/sk-ed25519.h +++ b/src/sk-ed25519.h diff --git a/svr-agentfwd.c b/src/svr-agentfwd.c index a8941ea..a8941ea 100644 --- a/svr-agentfwd.c +++ b/src/svr-agentfwd.c diff --git a/svr-auth.c b/src/svr-auth.c index 10131f1..10131f1 100644 --- a/svr-auth.c +++ b/src/svr-auth.c diff --git a/svr-authpam.c b/src/svr-authpam.c index ec14632..ec14632 100644 --- a/svr-authpam.c +++ b/src/svr-authpam.c diff --git a/svr-authpasswd.c b/src/svr-authpasswd.c index 899a8ab..899a8ab 100644 --- a/svr-authpasswd.c +++ b/src/svr-authpasswd.c diff --git a/svr-authpubkey.c b/src/svr-authpubkey.c index 5d298cb..5d298cb 100644 --- a/svr-authpubkey.c +++ b/src/svr-authpubkey.c diff --git a/svr-authpubkeyoptions.c b/src/svr-authpubkeyoptions.c index df9a7df..df9a7df 100644 --- a/svr-authpubkeyoptions.c +++ b/src/svr-authpubkeyoptions.c diff --git a/svr-chansession.c b/src/svr-chansession.c index 656a968..656a968 100644 --- a/svr-chansession.c +++ b/src/svr-chansession.c diff --git a/svr-kex.c b/src/svr-kex.c index 7d0f12c..7d0f12c 100644 --- a/svr-kex.c +++ b/src/svr-kex.c diff --git a/svr-main.c b/src/svr-main.c index b923e3c..b923e3c 100644 --- a/svr-main.c +++ b/src/svr-main.c diff --git a/svr-runopts.c b/src/svr-runopts.c index 48d6cbf..48d6cbf 100644 --- a/svr-runopts.c +++ b/src/svr-runopts.c diff --git a/svr-service.c b/src/svr-service.c index 0aa487c..0aa487c 100644 --- a/svr-service.c +++ b/src/svr-service.c diff --git a/svr-session.c b/src/svr-session.c index 769f073..769f073 100644 --- a/svr-session.c +++ b/src/svr-session.c diff --git a/svr-tcpfwd.c b/src/svr-tcpfwd.c index 7967cfa..7967cfa 100644 --- a/svr-tcpfwd.c +++ b/src/svr-tcpfwd.c diff --git a/svr-x11fwd.c b/src/svr-x11fwd.c index 5d9e6a9..5d9e6a9 100644 --- a/svr-x11fwd.c +++ b/src/svr-x11fwd.c diff --git a/sysoptions.h b/src/sysoptions.h index 82249f5..82249f5 100644 --- a/sysoptions.h +++ b/src/sysoptions.h diff --git a/tcp-accept.c b/src/tcp-accept.c index 73cfa54..73cfa54 100644 --- a/tcp-accept.c +++ b/src/tcp-accept.c diff --git a/termcodes.c b/src/termcodes.c index c5819c1..c5819c1 100644 --- a/termcodes.c +++ b/src/termcodes.c diff --git a/termcodes.h b/src/termcodes.h index cd76b7f..cd76b7f 100644 --- a/termcodes.h +++ b/src/termcodes.h diff --git a/test/test_dropbear.py b/test/test_dropbear.py index 77d1774..6652428 100644 --- a/test/test_dropbear.py +++ b/test/test_dropbear.py @@ -21,11 +21,12 @@ def dropbear(request): # split so that "dropbearmulti dropbear" works args = opt.dropbear.split() + [ - "-p", LOCALADDR, # bind locally only + "-p", LOCALADDR + ":" + opt.port, # bind locally only "-r", opt.hostkey, - "-p", opt.port, "-F", "-E", ] + print("subprocess args: ", args) + p = subprocess.Popen(args, stderr=subprocess.PIPE, text=True) # Wait until it has started listening for l in p.stderr: @@ -49,6 +50,7 @@ def dbclient(request, *args, **kwargs): if opt.user: base_args.extend(['-l', opt.user]) full_args = base_args + list(args) + print("subprocess args: ", full_args) bg = kwargs.get("background") if "background" in kwargs: del kwargs["background"] diff --git a/test/test_dropbearconvert.py b/test/test_dropbearconvert.py index 9fd4772..5def7db 100644 --- a/test/test_dropbearconvert.py +++ b/test/test_dropbearconvert.py @@ -7,7 +7,6 @@ keytypes = [ "rsa", "rsa-4096", "ed25519", "ecdsa", "ecdsa-256", "ecdsa-384", "ecdsa-521", - "dss", ] def parse_keytype(kt): |