diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2013-05-16 20:29:28 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2013-05-16 20:29:28 +1000 |
| commit | 5f96f3b4bee11ae2b9b32ff9b881c3693e210f96 (patch) | |
| tree | 1e1c647e73e447b06b194b38b5d39e95aec8bef9 /servconf.c | |
| parent | c53c2af173cf67fd1c26f98e7900299b1b65b6ec (diff) | |
- dtucker@cvs.openbsd.org 2013/05/16 04:09:14
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
page.
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 75 |
1 files changed, 70 insertions, 5 deletions
diff --git a/servconf.c b/servconf.c index b2a60fd6c..4e3026b83 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -20,6 +20,7 @@ | |||
| 20 | #include <netinet/in_systm.h> | 20 | #include <netinet/in_systm.h> |
| 21 | #include <netinet/ip.h> | 21 | #include <netinet/ip.h> |
| 22 | 22 | ||
| 23 | #include <ctype.h> | ||
| 23 | #include <netdb.h> | 24 | #include <netdb.h> |
| 24 | #include <pwd.h> | 25 | #include <pwd.h> |
| 25 | #include <stdio.h> | 26 | #include <stdio.h> |
| @@ -110,6 +111,8 @@ initialize_server_options(ServerOptions *options) | |||
| 110 | options->permit_user_env = -1; | 111 | options->permit_user_env = -1; |
| 111 | options->use_login = -1; | 112 | options->use_login = -1; |
| 112 | options->compression = -1; | 113 | options->compression = -1; |
| 114 | options->rekey_limit = -1; | ||
| 115 | options->rekey_interval = -1; | ||
| 113 | options->allow_tcp_forwarding = -1; | 116 | options->allow_tcp_forwarding = -1; |
| 114 | options->allow_agent_forwarding = -1; | 117 | options->allow_agent_forwarding = -1; |
| 115 | options->num_allow_users = 0; | 118 | options->num_allow_users = 0; |
| @@ -249,6 +252,10 @@ fill_default_server_options(ServerOptions *options) | |||
| 249 | options->use_login = 0; | 252 | options->use_login = 0; |
| 250 | if (options->compression == -1) | 253 | if (options->compression == -1) |
| 251 | options->compression = COMP_DELAYED; | 254 | options->compression = COMP_DELAYED; |
| 255 | if (options->rekey_limit == -1) | ||
| 256 | options->rekey_limit = 0; | ||
| 257 | if (options->rekey_interval == -1) | ||
| 258 | options->rekey_interval = 0; | ||
| 252 | if (options->allow_tcp_forwarding == -1) | 259 | if (options->allow_tcp_forwarding == -1) |
| 253 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 260 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
| 254 | if (options->allow_agent_forwarding == -1) | 261 | if (options->allow_agent_forwarding == -1) |
| @@ -320,7 +327,7 @@ typedef enum { | |||
| 320 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 327 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
| 321 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 328 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
| 322 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 329 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
| 323 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 330 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
| 324 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 331 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
| 325 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | 332 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
| 326 | sMaxStartups, sMaxAuthTries, sMaxSessions, | 333 | sMaxStartups, sMaxAuthTries, sMaxSessions, |
| @@ -422,6 +429,7 @@ static struct { | |||
| 422 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 429 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
| 423 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 430 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
| 424 | { "compression", sCompression, SSHCFG_GLOBAL }, | 431 | { "compression", sCompression, SSHCFG_GLOBAL }, |
| 432 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | ||
| 425 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 433 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
| 426 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 434 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
| 427 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 435 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
| @@ -800,14 +808,14 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 800 | const char *filename, int linenum, int *activep, | 808 | const char *filename, int linenum, int *activep, |
| 801 | struct connection_info *connectinfo) | 809 | struct connection_info *connectinfo) |
| 802 | { | 810 | { |
| 803 | char *cp, **charptr, *arg, *p; | 811 | char *cp, **charptr, *arg, *p, *endofnumber; |
| 804 | int cmdline = 0, *intptr, value, value2, n; | 812 | int cmdline = 0, *intptr, value, value2, n, port, scale; |
| 805 | SyslogFacility *log_facility_ptr; | 813 | SyslogFacility *log_facility_ptr; |
| 806 | LogLevel *log_level_ptr; | 814 | LogLevel *log_level_ptr; |
| 807 | ServerOpCodes opcode; | 815 | ServerOpCodes opcode; |
| 808 | int port; | ||
| 809 | u_int i, flags = 0; | 816 | u_int i, flags = 0; |
| 810 | size_t len; | 817 | size_t len; |
| 818 | long long orig, val64; | ||
| 811 | const struct multistate *multistate_ptr; | 819 | const struct multistate *multistate_ptr; |
| 812 | 820 | ||
| 813 | cp = line; | 821 | cp = line; |
| @@ -1118,6 +1126,59 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1118 | multistate_ptr = multistate_compression; | 1126 | multistate_ptr = multistate_compression; |
| 1119 | goto parse_multistate; | 1127 | goto parse_multistate; |
| 1120 | 1128 | ||
| 1129 | case sRekeyLimit: | ||
| 1130 | arg = strdelim(&cp); | ||
| 1131 | if (!arg || *arg == '\0') | ||
| 1132 | fatal("%.200s line %d: Missing argument.", filename, | ||
| 1133 | linenum); | ||
| 1134 | if (strcmp(arg, "default") == 0) { | ||
| 1135 | val64 = 0; | ||
| 1136 | } else { | ||
| 1137 | if (arg[0] < '0' || arg[0] > '9') | ||
| 1138 | fatal("%.200s line %d: Bad number.", filename, | ||
| 1139 | linenum); | ||
| 1140 | orig = val64 = strtoll(arg, &endofnumber, 10); | ||
| 1141 | if (arg == endofnumber) | ||
| 1142 | fatal("%.200s line %d: Bad number.", filename, | ||
| 1143 | linenum); | ||
| 1144 | switch (toupper(*endofnumber)) { | ||
| 1145 | case '\0': | ||
| 1146 | scale = 1; | ||
| 1147 | break; | ||
| 1148 | case 'K': | ||
| 1149 | scale = 1<<10; | ||
| 1150 | break; | ||
| 1151 | case 'M': | ||
| 1152 | scale = 1<<20; | ||
| 1153 | break; | ||
| 1154 | case 'G': | ||
| 1155 | scale = 1<<30; | ||
| 1156 | break; | ||
| 1157 | default: | ||
| 1158 | fatal("%.200s line %d: Invalid RekeyLimit " | ||
| 1159 | "suffix", filename, linenum); | ||
| 1160 | } | ||
| 1161 | val64 *= scale; | ||
| 1162 | /* detect integer wrap and too-large limits */ | ||
| 1163 | if ((val64 / scale) != orig || val64 > UINT_MAX) | ||
| 1164 | fatal("%.200s line %d: RekeyLimit too large", | ||
| 1165 | filename, linenum); | ||
| 1166 | if (val64 != 0 && val64 < 16) | ||
| 1167 | fatal("%.200s line %d: RekeyLimit too small", | ||
| 1168 | filename, linenum); | ||
| 1169 | } | ||
| 1170 | if (*activep && options->rekey_limit == -1) | ||
| 1171 | options->rekey_limit = (u_int32_t)val64; | ||
| 1172 | if (cp != NULL) { /* optional rekey interval present */ | ||
| 1173 | if (strcmp(cp, "none") == 0) { | ||
| 1174 | (void)strdelim(&cp); /* discard */ | ||
| 1175 | break; | ||
| 1176 | } | ||
| 1177 | intptr = &options->rekey_interval; | ||
| 1178 | goto parse_time; | ||
| 1179 | } | ||
| 1180 | break; | ||
| 1181 | |||
| 1121 | case sGatewayPorts: | 1182 | case sGatewayPorts: |
| 1122 | intptr = &options->gateway_ports; | 1183 | intptr = &options->gateway_ports; |
| 1123 | multistate_ptr = multistate_gatewayports; | 1184 | multistate_ptr = multistate_gatewayports; |
| @@ -1718,6 +1779,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
| 1718 | M_CP_INTOPT(max_authtries); | 1779 | M_CP_INTOPT(max_authtries); |
| 1719 | M_CP_INTOPT(ip_qos_interactive); | 1780 | M_CP_INTOPT(ip_qos_interactive); |
| 1720 | M_CP_INTOPT(ip_qos_bulk); | 1781 | M_CP_INTOPT(ip_qos_bulk); |
| 1782 | M_CP_INTOPT(rekey_limit); | ||
| 1783 | M_CP_INTOPT(rekey_interval); | ||
| 1721 | 1784 | ||
| 1722 | /* See comment in servconf.h */ | 1785 | /* See comment in servconf.h */ |
| 1723 | COPY_MATCH_STRING_OPTS(); | 1786 | COPY_MATCH_STRING_OPTS(); |
| @@ -2006,5 +2069,7 @@ dump_config(ServerOptions *o) | |||
| 2006 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2069 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
| 2007 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2070 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
| 2008 | 2071 | ||
| 2072 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | ||
| 2073 | |||
| 2009 | channel_print_adm_permitted_opens(); | 2074 | channel_print_adm_permitted_opens(); |
| 2010 | } | 2075 | } |