diff options
author | Darren Tucker <dtucker@zip.com.au> | 2013-05-16 20:28:16 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2013-05-16 20:28:16 +1000 |
commit | c53c2af173cf67fd1c26f98e7900299b1b65b6ec (patch) | |
tree | 1c83d4abcdec31e4be6d8a2955fdad33b985b976 /packet.c | |
parent | 64c6fceecd27e1739040b42de8f3759454260b39 (diff) |
- dtucker@cvs.openbsd.org 2013/05/16 02:00:34
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
ssh_config.5 packet.h]
Add an optional second argument to RekeyLimit in the client to allow
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 33 |
1 files changed, 30 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.183 2013/04/19 01:06:50 djm Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.184 2013/05/16 02:00:34 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -58,6 +58,7 @@ | |||
58 | #include <string.h> | 58 | #include <string.h> |
59 | #include <unistd.h> | 59 | #include <unistd.h> |
60 | #include <signal.h> | 60 | #include <signal.h> |
61 | #include <time.h> | ||
61 | 62 | ||
62 | #include "xmalloc.h" | 63 | #include "xmalloc.h" |
63 | #include "buffer.h" | 64 | #include "buffer.h" |
@@ -165,9 +166,14 @@ struct session_state { | |||
165 | Newkeys *newkeys[MODE_MAX]; | 166 | Newkeys *newkeys[MODE_MAX]; |
166 | struct packet_state p_read, p_send; | 167 | struct packet_state p_read, p_send; |
167 | 168 | ||
169 | /* Volume-based rekeying */ | ||
168 | u_int64_t max_blocks_in, max_blocks_out; | 170 | u_int64_t max_blocks_in, max_blocks_out; |
169 | u_int32_t rekey_limit; | 171 | u_int32_t rekey_limit; |
170 | 172 | ||
173 | /* Time-based rekeying */ | ||
174 | time_t rekey_interval; /* how often in seconds */ | ||
175 | time_t rekey_time; /* time of last rekeying */ | ||
176 | |||
171 | /* Session key for protocol v1 */ | 177 | /* Session key for protocol v1 */ |
172 | u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; | 178 | u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; |
173 | u_int ssh1_keylen; | 179 | u_int ssh1_keylen; |
@@ -1009,6 +1015,7 @@ packet_send2(void) | |||
1009 | /* after a NEWKEYS message we can send the complete queue */ | 1015 | /* after a NEWKEYS message we can send the complete queue */ |
1010 | if (type == SSH2_MSG_NEWKEYS) { | 1016 | if (type == SSH2_MSG_NEWKEYS) { |
1011 | active_state->rekeying = 0; | 1017 | active_state->rekeying = 0; |
1018 | active_state->rekey_time = time(NULL); | ||
1012 | while ((p = TAILQ_FIRST(&active_state->outgoing))) { | 1019 | while ((p = TAILQ_FIRST(&active_state->outgoing))) { |
1013 | type = p->type; | 1020 | type = p->type; |
1014 | debug("dequeue packet: %u", type); | 1021 | debug("dequeue packet: %u", type); |
@@ -1933,13 +1940,33 @@ packet_need_rekeying(void) | |||
1933 | (active_state->max_blocks_out && | 1940 | (active_state->max_blocks_out && |
1934 | (active_state->p_send.blocks > active_state->max_blocks_out)) || | 1941 | (active_state->p_send.blocks > active_state->max_blocks_out)) || |
1935 | (active_state->max_blocks_in && | 1942 | (active_state->max_blocks_in && |
1936 | (active_state->p_read.blocks > active_state->max_blocks_in)); | 1943 | (active_state->p_read.blocks > active_state->max_blocks_in)) || |
1944 | (active_state->rekey_interval != 0 && active_state->rekey_time + | ||
1945 | active_state->rekey_interval <= time(NULL)); | ||
1937 | } | 1946 | } |
1938 | 1947 | ||
1939 | void | 1948 | void |
1940 | packet_set_rekey_limit(u_int32_t bytes) | 1949 | packet_set_rekey_limits(u_int32_t bytes, time_t seconds) |
1941 | { | 1950 | { |
1951 | debug3("rekey after %lld bytes, %d seconds", (long long)bytes, | ||
1952 | (int)seconds); | ||
1942 | active_state->rekey_limit = bytes; | 1953 | active_state->rekey_limit = bytes; |
1954 | active_state->rekey_interval = seconds; | ||
1955 | /* | ||
1956 | * We set the time here so that in post-auth privsep slave we count | ||
1957 | * from the completion of the authentication. | ||
1958 | */ | ||
1959 | active_state->rekey_time = time(NULL); | ||
1960 | } | ||
1961 | |||
1962 | time_t | ||
1963 | packet_get_rekey_timeout(void) | ||
1964 | { | ||
1965 | time_t seconds; | ||
1966 | |||
1967 | seconds = active_state->rekey_time + active_state->rekey_interval - | ||
1968 | time(NULL); | ||
1969 | return (seconds < 0 ? 0 : seconds); | ||
1943 | } | 1970 | } |
1944 | 1971 | ||
1945 | void | 1972 | void |