aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch333
1 files changed, 333 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch b/package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch
new file mode 100644
index 0000000000..b8cb2d0698
--- /dev/null
+++ b/package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch
@@ -0,0 +1,333 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1408460936 -28800
+# Node ID 0bb16232e7c4162daa43e8618521cf453847ac16
+# Parent 939944f0fca9b2dcdf8470bb24efcc37a3843e8b
+Make keepalive handling more robust, this should now match what OpenSSH does
+
+diff -r 939944f0fca9 -r 0bb16232e7c4 LICENSE
+--- a/LICENSE Wed Aug 13 22:07:43 2014 +0800
++++ b/LICENSE Tue Aug 19 23:08:56 2014 +0800
+@@ -8,7 +8,7 @@
+ Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the
+ same license:
+
+-Copyright (c) 2002-2013 Matt Johnston
++Copyright (c) 2002-2014 Matt Johnston
+ Portions copyright (c) 2004 Mihnea Stoenescu
+ All rights reserved.
+
+diff -r 939944f0fca9 -r 0bb16232e7c4 auth.h
+--- a/auth.h Wed Aug 13 22:07:43 2014 +0800
++++ b/auth.h Tue Aug 19 23:08:56 2014 +0800
+@@ -106,7 +106,7 @@
+ valid */
+ unsigned int failcount; /* Number of (failed) authentication attempts.*/
+ unsigned authdone : 1; /* 0 if we haven't authed, 1 if we have. Applies for
+- client and server (though has differing [obvious]
++ client and server (though has differing
+ meanings). */
+ unsigned perm_warn : 1; /* Server only, set if bad permissions on
+ ~/.ssh/authorized_keys have already been
+diff -r 939944f0fca9 -r 0bb16232e7c4 channel.h
+--- a/channel.h Wed Aug 13 22:07:43 2014 +0800
++++ b/channel.h Tue Aug 19 23:08:56 2014 +0800
+@@ -105,6 +105,9 @@
+ void setchannelfds(fd_set *readfd, fd_set *writefd);
+ void channelio(fd_set *readfd, fd_set *writefd);
+ struct Channel* getchannel();
++/* Returns an arbitrary channel that is in a ready state - not
++being initialised and no EOF in either direction. NULL if none. */
++struct Channel* get_any_ready_channel();
+
+ void recv_msg_channel_open();
+ void recv_msg_channel_request();
+@@ -128,8 +131,10 @@
+ void recv_msg_channel_open_confirmation();
+ void recv_msg_channel_open_failure();
+ #endif
++void start_send_channel_request(struct Channel *channel, unsigned char *type);
+
+ void send_msg_request_success();
+ void send_msg_request_failure();
+
++
+ #endif /* _CHANNEL_H_ */
+diff -r 939944f0fca9 -r 0bb16232e7c4 chansession.h
+--- a/chansession.h Wed Aug 13 22:07:43 2014 +0800
++++ b/chansession.h Tue Aug 19 23:08:56 2014 +0800
+@@ -89,7 +89,6 @@
+ #ifdef ENABLE_CLI_NETCAT
+ void cli_send_netcat_request();
+ #endif
+-void cli_start_send_channel_request(struct Channel *channel, unsigned char *type);
+
+ void svr_chansessinitialise();
+ extern const struct ChanType svrchansess;
+diff -r 939944f0fca9 -r 0bb16232e7c4 cli-agentfwd.c
+--- a/cli-agentfwd.c Wed Aug 13 22:07:43 2014 +0800
++++ b/cli-agentfwd.c Tue Aug 19 23:08:56 2014 +0800
+@@ -234,7 +234,7 @@
+ return;
+ }
+
+- cli_start_send_channel_request(channel, "auth-agent-req@openssh.com");
++ start_send_channel_request(channel, "auth-agent-req@openssh.com");
+ /* Don't want replies */
+ buf_putbyte(ses.writepayload, 0);
+ encrypt_packet();
+diff -r 939944f0fca9 -r 0bb16232e7c4 cli-chansession.c
+--- a/cli-chansession.c Wed Aug 13 22:07:43 2014 +0800
++++ b/cli-chansession.c Tue Aug 19 23:08:56 2014 +0800
+@@ -92,17 +92,6 @@
+ }
+ }
+
+-void cli_start_send_channel_request(struct Channel *channel,
+- unsigned char *type) {
+-
+- CHECKCLEARTOWRITE();
+- buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
+- buf_putint(ses.writepayload, channel->remotechan);
+-
+- buf_putstring(ses.writepayload, type, strlen(type));
+-
+-}
+-
+ /* Taken from OpenSSH's sshtty.c:
+ * RCSID("OpenBSD: sshtty.c,v 1.5 2003/09/19 17:43:35 markus Exp "); */
+ static void cli_tty_setup() {
+@@ -287,7 +276,7 @@
+
+ TRACE(("enter send_chansess_pty_req"))
+
+- cli_start_send_channel_request(channel, "pty-req");
++ start_send_channel_request(channel, "pty-req");
+
+ /* Don't want replies */
+ buf_putbyte(ses.writepayload, 0);
+@@ -330,7 +319,7 @@
+ reqtype = "shell";
+ }
+
+- cli_start_send_channel_request(channel, reqtype);
++ start_send_channel_request(channel, reqtype);
+
+ /* XXX TODO */
+ buf_putbyte(ses.writepayload, 0); /* Don't want replies */
+diff -r 939944f0fca9 -r 0bb16232e7c4 cli-session.c
+--- a/cli-session.c Wed Aug 13 22:07:43 2014 +0800
++++ b/cli-session.c Tue Aug 19 23:08:56 2014 +0800
+@@ -70,11 +70,15 @@
+ {SSH_MSG_USERAUTH_BANNER, recv_msg_userauth_banner}, /* client */
+ {SSH_MSG_USERAUTH_SPECIFIC_60, recv_msg_userauth_specific_60}, /* client */
+ {SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli},
++ {SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
++ {SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
+ #ifdef ENABLE_CLI_REMOTETCPFWD
+ {SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
+ {SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
+ #else
+- {SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */
++ /* For keepalive */
++ {SSH_MSG_REQUEST_SUCCESS, ignore_recv_response},
++ {SSH_MSG_REQUEST_FAILURE, ignore_recv_response},
+ #endif
+ {0, 0} /* End */
+ };
+diff -r 939944f0fca9 -r 0bb16232e7c4 common-channel.c
+--- a/common-channel.c Wed Aug 13 22:07:43 2014 +0800
++++ b/common-channel.c Tue Aug 19 23:08:56 2014 +0800
+@@ -627,7 +627,12 @@
+ && !channel->close_handler_done) {
+ channel->type->reqhandler(channel);
+ } else {
+- send_msg_channel_failure(channel);
++ int wantreply;
++ buf_eatstring(ses.payload);
++ wantreply = buf_getbool(ses.payload);
++ if (wantreply) {
++ send_msg_channel_failure(channel);
++ }
+ }
+
+ TRACE(("leave recv_msg_channel_request"))
+@@ -1134,3 +1139,30 @@
+ buf_putbyte(ses.writepayload, SSH_MSG_REQUEST_FAILURE);
+ encrypt_packet();
+ }
++
++struct Channel* get_any_ready_channel() {
++ if (ses.chancount == 0) {
++ return NULL;
++ }
++ size_t i;
++ for (i = 0; i < ses.chansize; i++) {
++ struct Channel *chan = ses.channels[i];
++ if (chan
++ && !(chan->sent_eof || chan->recv_eof)
++ && !(chan->await_open || chan->initconn)) {
++ return chan;
++ }
++ }
++ return NULL;
++}
++
++void start_send_channel_request(struct Channel *channel,
++ unsigned char *type) {
++
++ CHECKCLEARTOWRITE();
++ buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
++ buf_putint(ses.writepayload, channel->remotechan);
++
++ buf_putstring(ses.writepayload, type, strlen(type));
++
++}
+diff -r 939944f0fca9 -r 0bb16232e7c4 common-session.c
+--- a/common-session.c Wed Aug 13 22:07:43 2014 +0800
++++ b/common-session.c Tue Aug 19 23:08:56 2014 +0800
+@@ -394,19 +394,30 @@
+ return pos+1;
+ }
+
+-void ignore_recv_msg_request_failure() {
++void ignore_recv_response() {
+ // Do nothing
+- TRACE(("Ignored msg_request_failure"))
++ TRACE(("Ignored msg_request_response"))
+ }
+
+ static void send_msg_keepalive() {
+ CHECKCLEARTOWRITE();
+ time_t old_time_idle = ses.last_packet_time_idle;
+- /* Try to force a response from the other end. Some peers will
+- reply with SSH_MSG_REQUEST_FAILURE, some will reply with SSH_MSG_UNIMPLEMENTED */
+- buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST);
+- /* A short string */
+- buf_putstring(ses.writepayload, "k@dropbear.nl", 0);
++
++ struct Channel *chan = get_any_ready_channel();
++
++ if (chan) {
++ /* Channel requests are preferable, more implementations
++ handle them than SSH_MSG_GLOBAL_REQUEST */
++ TRACE(("keepalive channel request %d", chan->index))
++ start_send_channel_request(chan, DROPBEAR_KEEPALIVE_STRING);
++ } else {
++ TRACE(("keepalive global request"))
++ /* Some peers will reply with SSH_MSG_REQUEST_FAILURE,
++ some will reply with SSH_MSG_UNIMPLEMENTED, some will exit. */
++ buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST);
++ buf_putstring(ses.writepayload, DROPBEAR_KEEPALIVE_STRING,
++ strlen(DROPBEAR_KEEPALIVE_STRING));
++ }
+ buf_putbyte(ses.writepayload, 1); /* want_reply */
+ encrypt_packet();
+
+@@ -435,7 +446,10 @@
+ send_msg_kexinit();
+ }
+
+- if (opts.keepalive_secs > 0) {
++ if (opts.keepalive_secs > 0 && ses.authstate.authdone) {
++ /* Avoid sending keepalives prior to auth - those are
++ not valid pre-auth packet types */
++
+ /* Send keepalives if we've been idle */
+ if (now - ses.last_packet_time_any_sent >= opts.keepalive_secs) {
+ send_msg_keepalive();
+diff -r 939944f0fca9 -r 0bb16232e7c4 session.h
+--- a/session.h Wed Aug 13 22:07:43 2014 +0800
++++ b/session.h Tue Aug 19 23:08:56 2014 +0800
+@@ -47,7 +47,7 @@
+ void session_cleanup();
+ void send_session_identification();
+ void send_msg_ignore();
+-void ignore_recv_msg_request_failure();
++void ignore_recv_response();
+
+ void update_channel_prio();
+
+diff -r 939944f0fca9 -r 0bb16232e7c4 svr-chansession.c
+--- a/svr-chansession.c Wed Aug 13 22:07:43 2014 +0800
++++ b/svr-chansession.c Tue Aug 19 23:08:56 2014 +0800
+@@ -53,6 +53,7 @@
+ static void closechansess(struct Channel *channel);
+ static int newchansess(struct Channel *channel);
+ static void chansessionrequest(struct Channel *channel);
++static int sesscheckclose(struct Channel *channel);
+
+ static void send_exitsignalstatus(struct Channel *channel);
+ static void send_msg_chansess_exitstatus(struct Channel * channel,
+@@ -61,6 +62,14 @@
+ struct ChanSess * chansess);
+ static void get_termmodes(struct ChanSess *chansess);
+
++const struct ChanType svrchansess = {
++ 0, /* sepfds */
++ "session", /* name */
++ newchansess, /* inithandler */
++ sesscheckclose, /* checkclosehandler */
++ chansessionrequest, /* reqhandler */
++ closechansess, /* closehandler */
++};
+
+ /* required to clear environment */
+ extern char** environ;
+@@ -968,16 +977,6 @@
+ dropbear_exit("Child failed");
+ }
+
+-const struct ChanType svrchansess = {
+- 0, /* sepfds */
+- "session", /* name */
+- newchansess, /* inithandler */
+- sesscheckclose, /* checkclosehandler */
+- chansessionrequest, /* reqhandler */
+- closechansess, /* closehandler */
+-};
+-
+-
+ /* Set up the general chansession environment, in particular child-exit
+ * handling */
+ void svr_chansessinitialise() {
+diff -r 939944f0fca9 -r 0bb16232e7c4 svr-main.c
+--- a/svr-main.c Wed Aug 13 22:07:43 2014 +0800
++++ b/svr-main.c Tue Aug 19 23:08:56 2014 +0800
+@@ -409,7 +409,7 @@
+ size_t sockpos = 0;
+ int nsock;
+
+- TRACE(("listensockets: %d to try\n", svr_opts.portcount))
++ TRACE(("listensockets: %d to try", svr_opts.portcount))
+
+ for (i = 0; i < svr_opts.portcount; i++) {
+
+diff -r 939944f0fca9 -r 0bb16232e7c4 svr-session.c
+--- a/svr-session.c Wed Aug 13 22:07:43 2014 +0800
++++ b/svr-session.c Tue Aug 19 23:08:56 2014 +0800
+@@ -58,7 +58,10 @@
+ {SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open},
+ {SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof},
+ {SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close},
+- {SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */
++ {SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
++ {SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
++ {SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */
++ {SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */
+ #ifdef USING_LISTENERS
+ {SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
+ {SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
+diff -r 939944f0fca9 -r 0bb16232e7c4 sysoptions.h
+--- a/sysoptions.h Wed Aug 13 22:07:43 2014 +0800
++++ b/sysoptions.h Tue Aug 19 23:08:56 2014 +0800
+@@ -257,4 +257,7 @@
+ #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
+ #endif
+
++/* Use this string since some implementations might special-case it */
++#define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com"
++
+ /* no include guard for this file */
+