Skip to content

Commit

Permalink
dropbear: update to 2022.83nb1.
Browse files Browse the repository at this point in the history
Include terrapin fix and bump PKGREVISION to make clear this
is not 2022.83.

2022.83 - 14 November 2022

Features and Changes:
  Note >> for compatibility/configuration changes

- >> Disable DROPBEAR_DSS by default
  It is only 1024 bit and uses sha1, most distros disable it by default already.

- Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
  >> RSA with sha1 will be disabled in a future release (rsa keys will continue
  to work OK, with sha256 signatures used instead).

- Add option for requiring both password and pubkey (-t)
  Patch from Jackkal

- Add 'no-touch-required' and 'verify-required' options for sk keys
  Patch from Egor Duda

  - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
  and DROPBEAR_SK_ED25519 options.

- Add 'permitopen' option for authorized_keys to restrict forwarded ports
  Patch from Tuomas Haikarainen

- >> Added LTM_CFLAGS configure argument to set flags for building
  bundled libtommath. This also restores the previous arguments used
  in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
  key generation, which regressed in 2022.82.
  There is a tradeoff with code size, so -Os can be used if required.
  mkj/dropbear#174
  Reported by David Bernard

- Add '-z' flag to disable setting QoS traffic class. This may be necessary
  to work with broken networks or network drivers, exposed after changes to use
  AF21 in 2022.82
  mkj/dropbear#193
  Reported by yuhongwei380, patch from Petr Štetiar

- Allow overriding user shells with COMPAT_USER_SHELLS
  Based on a patch from Matt Robinson

- Improve permission error message
  Patch from k-kurematsu

- >> Remove HMAC_MD5 entirely

Regression fixes from 2022.82:

- Fix X11 build

- Fix build warning

- Fix compilation when disabling pubkey authentication
  Patch from MaxMougg

- Fix MAX_UNAUTH_CLIENTS regression
  Reported by ptpt52

- Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
  mkj/dropbear#174
  Suggested by Steffen Jaeckel

- Fix Dropbear plugin support
  mkj/dropbear#194
  Reported by Struan Bartlett

Other fixes:

- Fix long standing incorrect compression size check. Dropbear
  (client or server) would erroneously exit with
  "bad packet, oversized decompressed"
  when receiving a compressed packet of exactly the maximum size.

- Fix missing setsid() removed in 2020.79
  mkj/dropbear#180
  Reported and debugged by m5jt and David Bernard

- Try keyboard-interactive auth before password, in dbclient.
  This was unintentionally changed back in 2013
  mkj/dropbear#190
  Patch from Michele Giacomoli

- Drain the terminal when reading the fingerprint confirmation response
  mkj/dropbear#191
  Patch from Michele Giacomoli

- Fix utx wtmp variable typo. This has been wrong for a long time but
  only recently became a problem when wtmp was detected.
  mkj/dropbear#189
  Patch from Michele Giacomoli

- Improve configure test for hardening options.
  Fixes building on AIX
  mkj/dropbear#158

- Fix debian/dropbear.init newline
  From wulei-student

Infrastructure:

- Test off-by-default compile options

- Set -Wundef to catch typos in #if statements


2022.82 - 1 April 2022

Features and Changes:
  Note >> for compatibility/configuration changes

- Implemented OpenSSH format private key handling for dropbearconvert.
  Keys can be read in OpenSSH format or the old PEM format.
  >> Keys are now written in OpenSSH format rather than PEM.
  ED25519 support is now correct. DSS keys are still PEM format.

- Use SHA256 for key fingerprints

- >> Reworked -v verbose printing, specifying multiple times will increase
  verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it
  can be configured at compile time in localoptions.h (see default_options.h)
  Lower -v options can be used to check connection progress or algorithm
  negotiation.
  Thanks to Hans Harder for the implementation

  localoptions.h DEBUG_TRACE should be set to 4 for the same result as the
  previous DEBUG_TRACE 1.

- Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in
  authorized_keys. no-touch-required option isn't allowed yet.
  Thanks to Egor Duda for the implementation

- autoconf output (configure script etc) is now committed to version control.
  >> It isn't necessary to run "autoconf" any more on a checkout.

- sha1 will be omitted from the build if KEX/signing/MAC algorithms don't
  require it. Instead sha256 is used for random number generation.
  See sysoptions.h to see which algorithms require which hashes.

- Set SSH_PUBKEYINFO environment variable based on the authorized_keys
  entry used for auth. The first word of the comment after the key is used
  (must only have characters a-z A-Z 0-9 .,_-+@)
  Patch from Hans Harder, modified by Matt Johnston

- Let dbclient multihop mode be used with '-J'.
  Patch from Hans Harder

- Allow home-directory relative paths ~/path for various settings
  and command line options.
  *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME
  Thanks to Begley Brothers Inc

  >> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs
  a tilde prefix.

- LANG environment variable is carried over from the Dropbear server process
  From Maxim Kochetkov

- Add /usr/sbin and /sbin to $PATH when logging in as root.
  Patch from Raphaël Hertzog
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403

- Added client option "-o DisableTrivialAuth". It disallows a server immediately
  giving successful authentication (without presenting any password/pubkey prompt).
  This avoids a UI confusion issue where it may appear that the user is accepting
  a SSH agent prompt from their local machine, but are actually accepting a prompt
  sent immediately by the remote server.
  CVE-2021-36369 though the description there is a bit confused. It only applies
  to Dropbear as a client.
  Thanks to Manfred Kaiser from Austrian MilCERT

- Add -q client option to hide remote banner, from Hans Harder

- Add -e option to pass all server environment variables to child processes.
  This should be used with caution.
  Patch from Roland Vollgraf (github #118)

- >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to
  AF21 "interactive". Previously TOS classes were used, they are not used by
  modern traffic classifiers. Non-tty traffic is left at default priority.

- >> Disable dh-group1 key exchange by default. It has been disabled server
  side by default since 2018.

- >> Removed Twofish cipher

Fixes:

- Fix flushing channel data when pty was allocated (github #85)
  Data wasn't completely transmitted at channel close.
  Reported and initial patch thanks to Yousong Zhou

- Dropbear now re-executes itself rather than just forking for each connection
  (only on Linux). This allows ASLR to randomise address space for each
  connection as a security mitigation. It should not have any visible impact
  - if there are any performance impacts in the wild please report it.

- Check authorized_keys permissions as the user, fixes NFS squash root.
  Patch from Chris Dragan (github #107)

- A missing home directory is now non-fatal, starting in / instead

- Fixed IPv6 [address]:port parsing for dbclient -b
  Reported by Fabio Molinari

- Improve error logging so that they are logged on the server rather than being
  sent to the client over the connection

- Max window size is increased to 10MB, more graceful fallback if it's invalid.

- Fix correctness of Dropbear's handling of global requests.
  Patch from Dirkjan Bussink

- Fix some small bugs found by fuzzers, null pointer dereference crash and leaks
  (post authentication)

- $HOME variable is used before /etc/passwd when expanding paths such as
  ~/.ssh/id_dropbear (for the client). Patch from Matt Robinson

- C89 build fixes from Guillaume Picquet

Infrastructure:

- Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can
  handle the structure of SSH packet streams. Added cifuzz to run on commits
  and pull requests.
  Thanks to OSS-Fuzz for the tools/clusters and reward funding.

- Dropbear source tarballs generated by release.sh are now reproducible from a
  Git or Mercurial checkout, they will be identical on any system. Tested
  on ubuntu and macos.

- Added some integration testing using pytest. Currently this has tests
  for various channel handling edge cases, ASLR fork randomisation,
  dropbearconvert, and SSH_PUBKEYINFO

- Set up github actions. This runs the pytest suite and other checks.
  - build matrix includes c89, dropbearmulti, bundled libtom, macos, DEBUG_TRACE
  - test for configure script regeneration
  - build a tarball for external reproducibility
  • Loading branch information
0-wiz-0 committed Dec 20, 2023
1 parent 3fa7695 commit 5e638d7
Show file tree
Hide file tree
Showing 10 changed files with 254 additions and 13 deletions.
5 changes: 3 additions & 2 deletions security/dropbear/Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# $NetBSD: Makefile,v 1.38 2023/05/25 21:28:09 wiz Exp $
# $NetBSD: Makefile,v 1.39 2023/12/20 17:09:35 wiz Exp $

DISTNAME= dropbear-2020.81
DISTNAME= dropbear-2022.83
PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
EXTRACT_SUFX= .tar.bz2
Expand Down
17 changes: 12 additions & 5 deletions security/dropbear/distinfo
Original file line number Diff line number Diff line change
@@ -1,7 +1,14 @@
$NetBSD: distinfo,v 1.29 2021/10/26 11:17:03 nia Exp $
$NetBSD: distinfo,v 1.30 2023/12/20 17:09:35 wiz Exp $

BLAKE2s (dropbear-2020.81.tar.bz2) = c8b6f5a9c588a6b6998fb3c6b5cf77407a560452b812e00c21daf5144d369855
SHA512 (dropbear-2020.81.tar.bz2) = 2fa9d4d7dcb1c81281f5e47c8a99b7300eb46b3bb605daaec956404eae9124879a8bbbef521dea6da8b3643f3dc6f7f5005e265bfcaba97e89812f5642c294da
Size (dropbear-2020.81.tar.bz2) = 2289644 bytes
SHA1 (patch-configure) = 95c82b951d16a5cca92a3d4d7ef67b7eb5f47540
BLAKE2s (dropbear-2022.83.tar.bz2) = 71657e1f82711df54fc15b4aedf48e4bc6f3b79dc67e1016aec6711863e09fb1
SHA512 (dropbear-2022.83.tar.bz2) = c63afa615d64b0c8c5e739c758eb8ae277ecc36a4223b766bf562702de69910904cbc3ea98d22989df478ae419e1f81057fe1ee09616c80cb859f58f44175422
Size (dropbear-2022.83.tar.bz2) = 2322904 bytes
SHA1 (patch-cli-session.c) = c994f83283c38ae966a32cb97432305d2ae61ec5
SHA1 (patch-common-algo.c) = aca565c1bb2329466fa3e06c4602ae7750744099
SHA1 (patch-common-kex.c) = dfa5fdec1e62913db6475ba656f92cd4df46be78
SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494
SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb
SHA1 (patch-kex.h) = 5a59be28ca209d8da26554fdeb2fdb5b84ddaf7c
SHA1 (patch-process-packet.c) = 5f9a2c7e150786cb1cf974ffe3a294891e3b3e3e
SHA1 (patch-ssh.h) = 9e830d59e26d5411713629fb4e716265eee85efe
SHA1 (patch-svr-session.c) = 8cefae13d159e48b0834885167dfde79cd36e216
36 changes: 36 additions & 0 deletions security/dropbear/patches/patch-cli-session.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
$NetBSD: patch-cli-session.c,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- cli-session.c.orig 2022-11-14 14:30:00.000000000 +0000
+++ cli-session.c
@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NO
static void recv_msg_service_accept(void);
static void cli_session_cleanup(void);
static void recv_msg_global_request_cli(void);
+static void cli_algos_initialise(void);

struct clientsession cli_ses; /* GLOBAL */

@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_o
}

chaninitialise(cli_chantypes);
+ cli_algos_initialise();

/* Set up cli_ses vars */
cli_session_init(proxy_cmd_pid);
@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, cons
fflush(stderr);
}

+static void cli_algos_initialise(void) {
+ algo_type *algo;
+ for (algo = sshkex; algo->name; algo++) {
+ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
+ algo->usable = 0;
+ }
+ }
+}
+
20 changes: 20 additions & 0 deletions security/dropbear/patches/patch-common-algo.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
$NetBSD: patch-common-algo.c,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- common-algo.c.orig 2022-11-14 14:30:00.000000000 +0000
+++ common-algo.c
@@ -308,6 +308,12 @@ algo_type sshkex[] = {
{SSH_EXT_INFO_C, 0, NULL, 1, NULL},
#endif
#endif
+#if DROPBEAR_CLIENT
+ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
+#endif
+#if DROPBEAR_SERVER
+ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
+#endif
{NULL, 0, NULL, 0, NULL}
};

61 changes: 61 additions & 0 deletions security/dropbear/patches/patch-common-kex.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
$NetBSD: patch-common-kex.c,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- common-kex.c.orig 2022-11-14 14:30:00.000000000 +0000
+++ common-kex.c
@@ -183,6 +183,10 @@ void send_msg_newkeys() {
gen_new_keys();
switch_keys();

+ if (ses.kexstate.strict_kex) {
+ ses.transseq = 0;
+ }
+
TRACE(("leave send_msg_newkeys"))
}

@@ -193,7 +197,11 @@ void recv_msg_newkeys() {

ses.kexstate.recvnewkeys = 1;
switch_keys();
-
+
+ if (ses.kexstate.strict_kex) {
+ ses.recvseq = 0;
+ }
+
TRACE(("leave recv_msg_newkeys"))
}

@@ -550,6 +558,10 @@ void recv_msg_kexinit() {

ses.kexstate.recvkexinit = 1;

+ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) {
+ dropbear_exit("First packet wasn't kexinit");
+ }
+
TRACE(("leave recv_msg_kexinit"))
}

@@ -859,6 +871,18 @@ static void read_kex_algos() {
}
#endif

+ if (!ses.kexstate.donefirstkex) {
+ const char* strict_name;
+ if (IS_DROPBEAR_CLIENT) {
+ strict_name = SSH_STRICT_KEX_S;
+ } else {
+ strict_name = SSH_STRICT_KEX_C;
+ }
+ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) {
+ ses.kexstate.strict_kex = 1;
+ }
+ }
+
algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
allgood &= goodguess;
if (algo == NULL || algo->data == NULL) {
12 changes: 6 additions & 6 deletions security/dropbear/patches/patch-configure
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
$NetBSD: patch-configure,v 1.1 2017/05/16 21:54:21 snj Exp $
$NetBSD: patch-configure,v 1.2 2023/12/20 17:09:36 wiz Exp $

this test for the system libtomcrypt needs -ltommath.

--- configure.orig 2017-04-25 21:47:13.570580493 -0700
+++ configure 2017-04-25 21:47:30.336185297 -0700
@@ -5963,7 +5963,7 @@ if ${ac_cv_lib_tomcrypt_register_cipher+
$as_echo_n "(cached) " >&6
else
--- configure.orig 2022-11-14 14:30:00.000000000 +0000
+++ configure
@@ -7701,7 +7701,7 @@ then :
printf %s "(cached) " >&6
else $as_nop
ac_check_lib_save_LIBS=$LIBS
-LIBS="-ltomcrypt $LIBS"
+LIBS="-ltomcrypt -ltommath $LIBS"
Expand Down
17 changes: 17 additions & 0 deletions security/dropbear/patches/patch-kex.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
$NetBSD: patch-kex.h,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- kex.h.orig 2022-11-14 14:30:00.000000000 +0000
+++ kex.h
@@ -83,6 +83,9 @@ struct KEXState {

unsigned our_first_follows_matches : 1;

+ /* Boolean indicating that strict kex mode is in use */
+ unsigned int strict_kex;
+
time_t lastkextime; /* time of the last kex */
unsigned int datatrans; /* data transmitted since last kex */
unsigned int datarecv; /* data received since last kex */
64 changes: 64 additions & 0 deletions security/dropbear/patches/patch-process-packet.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
$NetBSD: patch-process-packet.c,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- process-packet.c.orig 2022-11-14 14:30:00.000000000 +0000
+++ process-packet.c
@@ -44,6 +44,7 @@ void process_packet() {

unsigned char type;
unsigned int i;
+ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
time_t now;

TRACE2(("enter process_packet"))
@@ -54,22 +55,24 @@ void process_packet() {
now = monotonic_now();
ses.last_packet_time_keepalive_recv = now;

- /* These packets we can receive at any time */
- switch(type) {

- case SSH_MSG_IGNORE:
- goto out;
- case SSH_MSG_DEBUG:
- goto out;
+ if (type == SSH_MSG_DISCONNECT) {
+ /* Allowed at any time */
+ dropbear_close("Disconnect received");
+ }

- case SSH_MSG_UNIMPLEMENTED:
- /* debugging XXX */
- TRACE(("SSH_MSG_UNIMPLEMENTED"))
- goto out;
-
- case SSH_MSG_DISCONNECT:
- /* TODO cleanup? */
- dropbear_close("Disconnect received");
+ /* These packets may be received at any time,
+ except during first kex with strict kex */
+ if (!first_strict_kex) {
+ switch(type) {
+ case SSH_MSG_IGNORE:
+ goto out;
+ case SSH_MSG_DEBUG:
+ goto out;
+ case SSH_MSG_UNIMPLEMENTED:
+ TRACE(("SSH_MSG_UNIMPLEMENTED"))
+ goto out;
+ }
}

/* Ignore these packet types so that keepalives don't interfere with
@@ -98,7 +101,8 @@ void process_packet() {
if (type >= 1 && type <= 49
&& type != SSH_MSG_SERVICE_REQUEST
&& type != SSH_MSG_SERVICE_ACCEPT
- && type != SSH_MSG_KEXINIT)
+ && type != SSH_MSG_KEXINIT
+ && !first_strict_kex)
{
TRACE(("unknown allowed packet during kexinit"))
recv_unimplemented();
18 changes: 18 additions & 0 deletions security/dropbear/patches/patch-ssh.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
$NetBSD: patch-ssh.h,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- ssh.h.orig 2022-11-14 14:30:00.000000000 +0000
+++ ssh.h
@@ -100,6 +100,10 @@
#define SSH_EXT_INFO_C "ext-info-c"
#define SSH_SERVER_SIG_ALGS "server-sig-algs"

+/* OpenSSH strict KEX feature */
+#define SSH_STRICT_KEX_S "[email protected]"
+#define SSH_STRICT_KEX_C "[email protected]"
+
/* service types */
#define SSH_SERVICE_USERAUTH "ssh-userauth"
#define SSH_SERVICE_USERAUTH_LEN 12
17 changes: 17 additions & 0 deletions security/dropbear/patches/patch-svr-session.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
$NetBSD: patch-svr-session.c,v 1.1 2023/12/20 17:09:36 wiz Exp $

Terrapin fix
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356

--- svr-session.c.orig 2022-11-14 14:30:00.000000000 +0000
+++ svr-session.c
@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) {
algo->usable = 0;
}
#endif
+ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
+ algo->usable = 0;
+ }
}
}

0 comments on commit 5e638d7

Please sign in to comment.