diff options
-rw-r--r-- | packet.c | 19 | ||||
-rw-r--r-- | packet.h | 4 | ||||
-rw-r--r-- | readconf.c | 12 | ||||
-rw-r--r-- | servconf.c | 10 | ||||
-rw-r--r-- | sshd.c | 4 |
5 files changed, 22 insertions, 27 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.223 2016/01/29 02:42:46 dtucker Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.224 2016/01/29 02:54:45 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -180,8 +180,7 @@ struct session_state { | |||
180 | struct packet_state p_read, p_send; | 180 | struct packet_state p_read, p_send; |
181 | 181 | ||
182 | /* Volume-based rekeying */ | 182 | /* Volume-based rekeying */ |
183 | u_int64_t max_blocks_in, max_blocks_out; | 183 | u_int64_t max_blocks_in, max_blocks_out, rekey_limit; |
184 | u_int32_t rekey_limit; | ||
185 | 184 | ||
186 | /* Time-based rekeying */ | 185 | /* Time-based rekeying */ |
187 | u_int32_t rekey_interval; /* how often in seconds */ | 186 | u_int32_t rekey_interval; /* how often in seconds */ |
@@ -953,7 +952,10 @@ ssh_set_newkeys(struct ssh *ssh, int mode) | |||
953 | max_blocks = &state->max_blocks_in; | 952 | max_blocks = &state->max_blocks_in; |
954 | } | 953 | } |
955 | if (state->newkeys[mode] != NULL) { | 954 | if (state->newkeys[mode] != NULL) { |
956 | debug("set_newkeys: rekeying"); | 955 | debug("set_newkeys: rekeying, input %llu bytes %llu blocks, " |
956 | "output %llu bytes %llu blocks", | ||
957 | state->p_read.bytes, state->p_read.blocks, | ||
958 | state->p_send.bytes, state->p_send.blocks); | ||
957 | if ((r = cipher_cleanup(cc)) != 0) | 959 | if ((r = cipher_cleanup(cc)) != 0) |
958 | return r; | 960 | return r; |
959 | enc = &state->newkeys[mode]->enc; | 961 | enc = &state->newkeys[mode]->enc; |
@@ -1021,6 +1023,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode) | |||
1021 | if (state->rekey_limit) | 1023 | if (state->rekey_limit) |
1022 | *max_blocks = MIN(*max_blocks, | 1024 | *max_blocks = MIN(*max_blocks, |
1023 | state->rekey_limit / enc->block_size); | 1025 | state->rekey_limit / enc->block_size); |
1026 | debug("rekey after %llu blocks", *max_blocks); | ||
1024 | return 0; | 1027 | return 0; |
1025 | } | 1028 | } |
1026 | 1029 | ||
@@ -2271,9 +2274,9 @@ ssh_packet_need_rekeying(struct ssh *ssh) | |||
2271 | } | 2274 | } |
2272 | 2275 | ||
2273 | void | 2276 | void |
2274 | ssh_packet_set_rekey_limits(struct ssh *ssh, u_int32_t bytes, time_t seconds) | 2277 | ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, time_t seconds) |
2275 | { | 2278 | { |
2276 | debug3("rekey after %lld bytes, %d seconds", (long long)bytes, | 2279 | debug3("rekey after %llu bytes, %d seconds", (unsigned long long)bytes, |
2277 | (int)seconds); | 2280 | (int)seconds); |
2278 | ssh->state->rekey_limit = bytes; | 2281 | ssh->state->rekey_limit = bytes; |
2279 | ssh->state->rekey_interval = seconds; | 2282 | ssh->state->rekey_interval = seconds; |
@@ -2431,7 +2434,7 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) | |||
2431 | if ((r = kex_to_blob(m, ssh->kex)) != 0 || | 2434 | if ((r = kex_to_blob(m, ssh->kex)) != 0 || |
2432 | (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || | 2435 | (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || |
2433 | (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || | 2436 | (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || |
2434 | (r = sshbuf_put_u32(m, state->rekey_limit)) != 0 || | 2437 | (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 || |
2435 | (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 || | 2438 | (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 || |
2436 | (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 || | 2439 | (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 || |
2437 | (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 || | 2440 | (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 || |
@@ -2610,7 +2613,7 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) | |||
2610 | if ((r = kex_from_blob(m, &ssh->kex)) != 0 || | 2613 | if ((r = kex_from_blob(m, &ssh->kex)) != 0 || |
2611 | (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || | 2614 | (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || |
2612 | (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || | 2615 | (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || |
2613 | (r = sshbuf_get_u32(m, &state->rekey_limit)) != 0 || | 2616 | (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 || |
2614 | (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 || | 2617 | (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 || |
2615 | (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 || | 2618 | (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 || |
2616 | (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 || | 2619 | (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 || |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.h,v 1.68 2016/01/14 16:17:40 markus Exp $ */ | 1 | /* $OpenBSD: packet.h,v 1.69 2016/01/29 02:54:45 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -146,7 +146,7 @@ const char *ssh_remote_ipaddr(struct ssh *); | |||
146 | int ssh_remote_port(struct ssh *); | 146 | int ssh_remote_port(struct ssh *); |
147 | 147 | ||
148 | int ssh_packet_need_rekeying(struct ssh *); | 148 | int ssh_packet_need_rekeying(struct ssh *); |
149 | void ssh_packet_set_rekey_limits(struct ssh *, u_int32_t, time_t); | 149 | void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, time_t); |
150 | time_t ssh_packet_get_rekey_timeout(struct ssh *); | 150 | time_t ssh_packet_get_rekey_timeout(struct ssh *); |
151 | 151 | ||
152 | void *ssh_packet_get_input(struct ssh *); | 152 | void *ssh_packet_get_input(struct ssh *); |
diff --git a/readconf.c b/readconf.c index 8e9a25da7..2a5620479 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.248 2016/01/14 16:17:40 markus Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.249 2016/01/29 02:54:45 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -976,16 +976,12 @@ parse_time: | |||
976 | if (scan_scaled(arg, &val64) == -1) | 976 | if (scan_scaled(arg, &val64) == -1) |
977 | fatal("%.200s line %d: Bad number '%s': %s", | 977 | fatal("%.200s line %d: Bad number '%s': %s", |
978 | filename, linenum, arg, strerror(errno)); | 978 | filename, linenum, arg, strerror(errno)); |
979 | /* check for too-large or too-small limits */ | ||
980 | if (val64 > UINT_MAX) | ||
981 | fatal("%.200s line %d: RekeyLimit too large", | ||
982 | filename, linenum); | ||
983 | if (val64 != 0 && val64 < 16) | 979 | if (val64 != 0 && val64 < 16) |
984 | fatal("%.200s line %d: RekeyLimit too small", | 980 | fatal("%.200s line %d: RekeyLimit too small", |
985 | filename, linenum); | 981 | filename, linenum); |
986 | } | 982 | } |
987 | if (*activep && options->rekey_limit == -1) | 983 | if (*activep && options->rekey_limit == -1) |
988 | options->rekey_limit = (u_int32_t)val64; | 984 | options->rekey_limit = val64; |
989 | if (s != NULL) { /* optional rekey interval present */ | 985 | if (s != NULL) { /* optional rekey interval present */ |
990 | if (strcmp(s, "none") == 0) { | 986 | if (strcmp(s, "none") == 0) { |
991 | (void)strdelim(&s); /* discard */ | 987 | (void)strdelim(&s); /* discard */ |
@@ -2436,8 +2432,8 @@ dump_client_config(Options *o, const char *host) | |||
2436 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2432 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2437 | 2433 | ||
2438 | /* oRekeyLimit */ | 2434 | /* oRekeyLimit */ |
2439 | printf("rekeylimit %lld %d\n", | 2435 | printf("rekeylimit %llu %d\n", |
2440 | (long long)o->rekey_limit, o->rekey_interval); | 2436 | (unsigned long long)o->rekey_limit, o->rekey_interval); |
2441 | 2437 | ||
2442 | /* oStreamLocalBindMask */ | 2438 | /* oStreamLocalBindMask */ |
2443 | printf("streamlocalbindmask 0%o\n", | 2439 | printf("streamlocalbindmask 0%o\n", |
diff --git a/servconf.c b/servconf.c index 19c68e2d7..7bee5a17a 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.283 2015/11/13 04:38:06 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.284 2016/01/29 02:54:45 dtucker Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -1330,16 +1330,12 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1330 | if (scan_scaled(arg, &val64) == -1) | 1330 | if (scan_scaled(arg, &val64) == -1) |
1331 | fatal("%.200s line %d: Bad number '%s': %s", | 1331 | fatal("%.200s line %d: Bad number '%s': %s", |
1332 | filename, linenum, arg, strerror(errno)); | 1332 | filename, linenum, arg, strerror(errno)); |
1333 | /* check for too-large or too-small limits */ | ||
1334 | if (val64 > UINT_MAX) | ||
1335 | fatal("%.200s line %d: RekeyLimit too large", | ||
1336 | filename, linenum); | ||
1337 | if (val64 != 0 && val64 < 16) | 1333 | if (val64 != 0 && val64 < 16) |
1338 | fatal("%.200s line %d: RekeyLimit too small", | 1334 | fatal("%.200s line %d: RekeyLimit too small", |
1339 | filename, linenum); | 1335 | filename, linenum); |
1340 | } | 1336 | } |
1341 | if (*activep && options->rekey_limit == -1) | 1337 | if (*activep && options->rekey_limit == -1) |
1342 | options->rekey_limit = (u_int32_t)val64; | 1338 | options->rekey_limit = val64; |
1343 | if (cp != NULL) { /* optional rekey interval present */ | 1339 | if (cp != NULL) { /* optional rekey interval present */ |
1344 | if (strcmp(cp, "none") == 0) { | 1340 | if (strcmp(cp, "none") == 0) { |
1345 | (void)strdelim(&cp); /* discard */ | 1341 | (void)strdelim(&cp); /* discard */ |
@@ -2361,7 +2357,7 @@ dump_config(ServerOptions *o) | |||
2361 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2357 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2362 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2358 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2363 | 2359 | ||
2364 | printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, | 2360 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
2365 | o->rekey_interval); | 2361 | o->rekey_interval); |
2366 | 2362 | ||
2367 | channel_print_adm_permitted_opens(); | 2363 | channel_print_adm_permitted_opens(); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.463 2016/01/14 16:17:40 markus Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.464 2016/01/29 02:54:45 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2563,7 +2563,7 @@ do_ssh2_kex(void) | |||
2563 | } | 2563 | } |
2564 | 2564 | ||
2565 | if (options.rekey_limit || options.rekey_interval) | 2565 | if (options.rekey_limit || options.rekey_interval) |
2566 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2566 | packet_set_rekey_limits(options.rekey_limit, |
2567 | (time_t)options.rekey_interval); | 2567 | (time_t)options.rekey_interval); |
2568 | 2568 | ||
2569 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2569 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |