The default rekeying recommendations are specified in
RFC4344 Section 3 (First and Second Rekeying Recommendations).
Additionally, the rekeying can be specified in configuration
file/options allowing us to turn the rekeying off, base it
on time or make it more strict.
The code is highly inspired by the OpenSSH rekeying code.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This also fixes the test using the crypto directly
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
And remove most of the direct access to the structure throughout the code
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
If the rekey is initialized by client, it sends the first KEXINIT
message, changes to the INIT_SENT state and waits for the KEXINIT
message from the server. This was not covered in the current filter.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This is more reliable fix than 83f2ac4a, which was failing for the
server initialized rekeying, because the session_state is altered
by receiving the KEXINIT from server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The ssh_options_copy() function was missing several options that were added
in recent years.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When the server requests rekey, it can send the SSH2_MSG_EXT_INFO. This
message was being filtered out by the packet filtering. This includes a
test to enforce the filtering rules for this packet type.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This checks if a timeout has been set using ssh_options_set(). If it has
been set it will use that parametr by default for blocking sessions.
This is at least what users are expecting.
Fixes T33
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Set sftp error to SSH_FX_BAD_MESSAGE if an unexpected message is
received.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When an operation fails in sftp subsystem, set the sftp error, so that
it can be obtained by sftp_get_error().
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When an attempt to read a closed channel happens, set the session error
state properly.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When reading a sftp packet and an EOF is received before all requested
bytes are read, set the session and sftp error codes.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
* This makes the array constant in the session structure, avoiding
allocations and frees while parsing the file
* It also drops passing the seen array to all the functions,
because it is already part of the passed session
* The test cases are adjusted to match these changes
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
