diff options
author | Darren Tucker <dtucker@zip.com.au> | 2013-05-16 20:29:28 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2013-05-16 20:29:28 +1000 |
commit | 5f96f3b4bee11ae2b9b32ff9b881c3693e210f96 (patch) | |
tree | 1e1c647e73e447b06b194b38b5d39e95aec8bef9 /servconf.c | |
parent | c53c2af173cf67fd1c26f98e7900299b1b65b6ec (diff) |
- dtucker@cvs.openbsd.org 2013/05/16 04:09:14
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
page.
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 75 |
1 files changed, 70 insertions, 5 deletions
diff --git a/servconf.c b/servconf.c index b2a60fd6c..4e3026b83 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -20,6 +20,7 @@ | |||
20 | #include <netinet/in_systm.h> | 20 | #include <netinet/in_systm.h> |
21 | #include <netinet/ip.h> | 21 | #include <netinet/ip.h> |
22 | 22 | ||
23 | #include <ctype.h> | ||
23 | #include <netdb.h> | 24 | #include <netdb.h> |
24 | #include <pwd.h> | 25 | #include <pwd.h> |
25 | #include <stdio.h> | 26 | #include <stdio.h> |
@@ -110,6 +111,8 @@ initialize_server_options(ServerOptions *options) | |||
110 | options->permit_user_env = -1; | 111 | options->permit_user_env = -1; |
111 | options->use_login = -1; | 112 | options->use_login = -1; |
112 | options->compression = -1; | 113 | options->compression = -1; |
114 | options->rekey_limit = -1; | ||
115 | options->rekey_interval = -1; | ||
113 | options->allow_tcp_forwarding = -1; | 116 | options->allow_tcp_forwarding = -1; |
114 | options->allow_agent_forwarding = -1; | 117 | options->allow_agent_forwarding = -1; |
115 | options->num_allow_users = 0; | 118 | options->num_allow_users = 0; |
@@ -249,6 +252,10 @@ fill_default_server_options(ServerOptions *options) | |||
249 | options->use_login = 0; | 252 | options->use_login = 0; |
250 | if (options->compression == -1) | 253 | if (options->compression == -1) |
251 | options->compression = COMP_DELAYED; | 254 | options->compression = COMP_DELAYED; |
255 | if (options->rekey_limit == -1) | ||
256 | options->rekey_limit = 0; | ||
257 | if (options->rekey_interval == -1) | ||
258 | options->rekey_interval = 0; | ||
252 | if (options->allow_tcp_forwarding == -1) | 259 | if (options->allow_tcp_forwarding == -1) |
253 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 260 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
254 | if (options->allow_agent_forwarding == -1) | 261 | if (options->allow_agent_forwarding == -1) |
@@ -320,7 +327,7 @@ typedef enum { | |||
320 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 327 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
321 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 328 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
322 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 329 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
323 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 330 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
324 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 331 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
325 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | 332 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
326 | sMaxStartups, sMaxAuthTries, sMaxSessions, | 333 | sMaxStartups, sMaxAuthTries, sMaxSessions, |
@@ -422,6 +429,7 @@ static struct { | |||
422 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 429 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
423 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 430 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
424 | { "compression", sCompression, SSHCFG_GLOBAL }, | 431 | { "compression", sCompression, SSHCFG_GLOBAL }, |
432 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | ||
425 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 433 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
426 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 434 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
427 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 435 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
@@ -800,14 +808,14 @@ process_server_config_line(ServerOptions *options, char *line, | |||
800 | const char *filename, int linenum, int *activep, | 808 | const char *filename, int linenum, int *activep, |
801 | struct connection_info *connectinfo) | 809 | struct connection_info *connectinfo) |
802 | { | 810 | { |
803 | char *cp, **charptr, *arg, *p; | 811 | char *cp, **charptr, *arg, *p, *endofnumber; |
804 | int cmdline = 0, *intptr, value, value2, n; | 812 | int cmdline = 0, *intptr, value, value2, n, port, scale; |
805 | SyslogFacility *log_facility_ptr; | 813 | SyslogFacility *log_facility_ptr; |
806 | LogLevel *log_level_ptr; | 814 | LogLevel *log_level_ptr; |
807 | ServerOpCodes opcode; | 815 | ServerOpCodes opcode; |
808 | int port; | ||
809 | u_int i, flags = 0; | 816 | u_int i, flags = 0; |
810 | size_t len; | 817 | size_t len; |
818 | long long orig, val64; | ||
811 | const struct multistate *multistate_ptr; | 819 | const struct multistate *multistate_ptr; |
812 | 820 | ||
813 | cp = line; | 821 | cp = line; |
@@ -1118,6 +1126,59 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1118 | multistate_ptr = multistate_compression; | 1126 | multistate_ptr = multistate_compression; |
1119 | goto parse_multistate; | 1127 | goto parse_multistate; |
1120 | 1128 | ||
1129 | case sRekeyLimit: | ||
1130 | arg = strdelim(&cp); | ||
1131 | if (!arg || *arg == '\0') | ||
1132 | fatal("%.200s line %d: Missing argument.", filename, | ||
1133 | linenum); | ||
1134 | if (strcmp(arg, "default") == 0) { | ||
1135 | val64 = 0; | ||
1136 | } else { | ||
1137 | if (arg[0] < '0' || arg[0] > '9') | ||
1138 | fatal("%.200s line %d: Bad number.", filename, | ||
1139 | linenum); | ||
1140 | orig = val64 = strtoll(arg, &endofnumber, 10); | ||
1141 | if (arg == endofnumber) | ||
1142 | fatal("%.200s line %d: Bad number.", filename, | ||
1143 | linenum); | ||
1144 | switch (toupper(*endofnumber)) { | ||
1145 | case '\0': | ||
1146 | scale = 1; | ||
1147 | break; | ||
1148 | case 'K': | ||
1149 | scale = 1<<10; | ||
1150 | break; | ||
1151 | case 'M': | ||
1152 | scale = 1<<20; | ||
1153 | break; | ||
1154 | case 'G': | ||
1155 | scale = 1<<30; | ||
1156 | break; | ||
1157 | default: | ||
1158 | fatal("%.200s line %d: Invalid RekeyLimit " | ||
1159 | "suffix", filename, linenum); | ||
1160 | } | ||
1161 | val64 *= scale; | ||
1162 | /* detect integer wrap and too-large limits */ | ||
1163 | if ((val64 / scale) != orig || val64 > UINT_MAX) | ||
1164 | fatal("%.200s line %d: RekeyLimit too large", | ||
1165 | filename, linenum); | ||
1166 | if (val64 != 0 && val64 < 16) | ||
1167 | fatal("%.200s line %d: RekeyLimit too small", | ||
1168 | filename, linenum); | ||
1169 | } | ||
1170 | if (*activep && options->rekey_limit == -1) | ||
1171 | options->rekey_limit = (u_int32_t)val64; | ||
1172 | if (cp != NULL) { /* optional rekey interval present */ | ||
1173 | if (strcmp(cp, "none") == 0) { | ||
1174 | (void)strdelim(&cp); /* discard */ | ||
1175 | break; | ||
1176 | } | ||
1177 | intptr = &options->rekey_interval; | ||
1178 | goto parse_time; | ||
1179 | } | ||
1180 | break; | ||
1181 | |||
1121 | case sGatewayPorts: | 1182 | case sGatewayPorts: |
1122 | intptr = &options->gateway_ports; | 1183 | intptr = &options->gateway_ports; |
1123 | multistate_ptr = multistate_gatewayports; | 1184 | multistate_ptr = multistate_gatewayports; |
@@ -1718,6 +1779,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1718 | M_CP_INTOPT(max_authtries); | 1779 | M_CP_INTOPT(max_authtries); |
1719 | M_CP_INTOPT(ip_qos_interactive); | 1780 | M_CP_INTOPT(ip_qos_interactive); |
1720 | M_CP_INTOPT(ip_qos_bulk); | 1781 | M_CP_INTOPT(ip_qos_bulk); |
1782 | M_CP_INTOPT(rekey_limit); | ||
1783 | M_CP_INTOPT(rekey_interval); | ||
1721 | 1784 | ||
1722 | /* See comment in servconf.h */ | 1785 | /* See comment in servconf.h */ |
1723 | COPY_MATCH_STRING_OPTS(); | 1786 | COPY_MATCH_STRING_OPTS(); |
@@ -2006,5 +2069,7 @@ dump_config(ServerOptions *o) | |||
2006 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2069 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2007 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2070 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2008 | 2071 | ||
2072 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | ||
2073 | |||
2009 | channel_print_adm_permitted_opens(); | 2074 | channel_print_adm_permitted_opens(); |
2010 | } | 2075 | } |