The unified diff between revisions [8b1f7f73..] and [9aa22036..] is displayed below. It can also be downloaded as a raw diff.
#
#
# patch "cli-runopts.c"
# from [55b8417f2694a3682e7acdd1bca86c1cf197a391]
# to [57097090db0a8b731fbbad99f81e22090fc52b92]
#
# patch "common-kex.c"
# from [f8e1f46a2302e61776d3de13da70a4e542d756d5]
# to [f10ca47123631d97763feed67c670c07c2ae85b9]
#
# patch "common-session.c"
# from [a9d10f22cb28660dc98684c3a472f4d45b5fc843]
# to [f15be48e3436391db518800b58e0dc7cbcdbfa28]
#
# patch "dbclient.1"
# from [b5aa55232b26b1e2aa1ac4019b29d15aed2a8077]
# to [272e5fd6b8d6dc6756aa1e20b84459269e31eabb]
#
# patch "dropbear.8"
# from [be774ab5bf2dd1dd58653d6fff04f801d9a6c594]
# to [80923a60e53e39e30a041299b1d62378d0598d31]
#
# patch "includes.h"
# from [7af72cca59d29e02cd3521d876f89005c6a791c6]
# to [d22d2c275b22b9e97425eb18d2d705a3de55f076]
#
# patch "kex.h"
# from [596a833742cc5ab88d3930e46214f19e129347f2]
# to [68c4c992e489c791d278a28f27d4c2aa611d90be]
#
# patch "options.h"
# from [e4d28defe9431722bbc858681d79070ed666c43d]
# to [419b9b9ae9c6f2d0eb53e2ebd93a3e86f55a705c]
#
# patch "packet.c"
# from [44903e72c3e83e405fad2b95480caa07bbd9591b]
# to [4936979cbecd00ef54c08893c8e6874f34d2e69d]
#
# patch "process-packet.c"
# from [6633b32f378eaa78928adbdb514cc2515f951890]
# to [592d68c8df9147e66af92f7c6907eca3a9cd673e]
#
# patch "runopts.h"
# from [e5a847e3563d6959987d9860af41c37df46b429b]
# to [28d3dc401244b14fa52cd842c39ee9f6fe3873ba]
#
# patch "session.h"
# from [cfedca9627c9f3e628b46215050ef0a136bd41c1]
# to [698e52464e29293ca989ac2547c438669587337c]
#
# patch "svr-auth.c"
# from [dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3]
# to [4d806df1e0e48b101a419330aa8858ddc770ef99]
#
# patch "svr-main.c"
# from [2936ec6e21ca47f22c8883258b6d7460963710e6]
# to [ca315d545592e772311d4ce9e2dcf4d7de5fd4d1]
#
# patch "svr-runopts.c"
# from [d73690171591a4606a6ef2bf1190675e4d0e3dfd]
# to [4d5f8179cb0c9f5caaae528bc458971259cc8abd]
#
# patch "svr-session.c"
# from [ff067fb604f593d58de6bb7c60fd28256941ed5f]
# to [ce034997dee4480afd43fa50d4cabf228b2a3564]
#
============================================================
--- cli-runopts.c 55b8417f2694a3682e7acdd1bca86c1cf197a391
+++ cli-runopts.c 57097090db0a8b731fbbad99f81e22090fc52b92
@@ -63,11 +63,14 @@ static void printhelp() {
#ifdef ENABLE_CLI_REMOTETCPFWD
"-R <listenport:remotehost:remoteport> Remote port forwarding\n"
#endif
- "-W <receive_window_buffer> (default %d, larger may be faster)\n"
+ "-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
+ "-K <keepalive> (0 is never, default %d)\n"
#ifdef DEBUG_TRACE
"-v verbose\n"
#endif
- ,DROPBEAR_VERSION, cli_opts.progname, DEFAULT_RECV_WINDOW);
+ ,DROPBEAR_VERSION, cli_opts.progname,
+ DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE);
+
}
void cli_getopts(int argc, char ** argv) {
@@ -112,6 +115,7 @@ void cli_getopts(int argc, char ** argv)
*/
opts.recv_window = DEFAULT_RECV_WINDOW;
char* recv_window_arg = NULL;
+ char* keepalive_arg = NULL;
/* Iterate all the arguments */
for (i = 1; i < (unsigned int)argc; i++) {
@@ -207,6 +211,9 @@ void cli_getopts(int argc, char ** argv)
case 'W':
next = &recv_window_arg;
break;
+ case 'K':
+ next = &keepalive_arg;
+ break;
#ifdef DEBUG_TRACE
case 'v':
debug_trace = 1;
@@ -302,11 +309,19 @@ void cli_getopts(int argc, char ** argv)
if (recv_window_arg)
{
opts.recv_window = atol(recv_window_arg);
- if (opts.recv_window == 0)
+ if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW)
{
dropbear_exit("Bad recv window '%s'", recv_window_arg);
}
}
+ if (keepalive_arg) {
+ opts.keepalive_secs = strtoul(keepalive_arg, NULL, 10);
+ if (opts.keepalive_secs == 0 && errno == EINVAL)
+ {
+ dropbear_exit("Bad keepalive '%s'", keepalive_arg);
+ }
+ }
+
}
#ifdef ENABLE_CLI_PUBKEY_AUTH
============================================================
--- common-kex.c f8e1f46a2302e61776d3de13da70a4e542d756d5
+++ common-kex.c f10ca47123631d97763feed67c670c07c2ae85b9
@@ -188,8 +188,6 @@ static void kexinitialise() {
/* Reset the kex state, ready for a new negotiation */
static void kexinitialise() {
- struct timeval tv;
-
TRACE(("kexinitialise()"))
/* sent/recv'd MSG_KEXINIT */
@@ -206,10 +204,7 @@ static void kexinitialise() {
ses.kexstate.datatrans = 0;
ses.kexstate.datarecv = 0;
- if (gettimeofday(&tv, 0) < 0) {
- dropbear_exit("Error getting time");
- }
- ses.kexstate.lastkextime = tv.tv_sec;
+ ses.kexstate.lastkextime = time(NULL);
}
============================================================
--- common-session.c a9d10f22cb28660dc98684c3a472f4d45b5fc843
+++ common-session.c f15be48e3436391db518800b58e0dc7cbcdbfa28
@@ -34,8 +34,10 @@
#include "kex.h"
#include "channel.h"
#include "atomicio.h"
+#include "runopts.h"
static void checktimeouts();
+static long select_timeout();
static int ident_readln(int fd, char* buf, int count);
struct sshsession ses; /* GLOBAL */
@@ -59,7 +61,8 @@ void common_session_init(int sock, char*
ses.sock = sock;
ses.maxfd = sock;
- ses.connecttimeout = 0;
+ ses.connect_time = 0;
+ ses.last_packet_time = 0;
if (pipe(ses.signal_pipe) < 0) {
dropbear_exit("signal pipe failed");
@@ -129,7 +132,7 @@ void session_loop(void(*loophandler)())
/* main loop, select()s for all sockets in use */
for(;;) {
- timeout.tv_sec = SELECT_TIMEOUT;
+ timeout.tv_sec = select_timeout();
timeout.tv_usec = 0;
FD_ZERO(&writefd);
FD_ZERO(&readfd);
@@ -359,20 +362,22 @@ static int ident_readln(int fd, char* bu
return pos+1;
}
+void send_msg_ignore() {
+ CHECKCLEARTOWRITE();
+ buf_putbyte(ses.writepayload, SSH_MSG_IGNORE);
+ buf_putstring(ses.writepayload, "", 0);
+ encrypt_packet();
+}
+
/* Check all timeouts which are required. Currently these are the time for
* user authentication, and the automatic rekeying. */
static void checktimeouts() {
- struct timeval tv;
- long secs;
+ time_t now;
- if (gettimeofday(&tv, 0) < 0) {
- dropbear_exit("Error getting time");
- }
-
- secs = tv.tv_sec;
+ now = time(NULL);
- if (ses.connecttimeout != 0 && secs > ses.connecttimeout) {
+ if (ses.connect_time != 0 && now - ses.connect_time >= AUTH_TIMEOUT) {
dropbear_close("Timeout before auth");
}
@@ -382,10 +387,27 @@ static void checktimeouts() {
}
if (!ses.kexstate.sentkexinit
- && (secs - ses.kexstate.lastkextime >= KEX_REKEY_TIMEOUT
- || ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)){
+ && (now - ses.kexstate.lastkextime >= KEX_REKEY_TIMEOUT
+ || ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)) {
TRACE(("rekeying after timeout or max data reached"))
send_msg_kexinit();
}
+
+ if (opts.keepalive_secs > 0
+ && now - ses.last_packet_time >= opts.keepalive_secs) {
+ send_msg_ignore();
+ }
}
+static long select_timeout() {
+ /* determine the minimum timeout that might be required, so
+ as to avoid waking when unneccessary */
+ long ret = LONG_MAX;
+ if (KEX_REKEY_TIMEOUT > 0)
+ ret = MIN(KEX_REKEY_TIMEOUT, ret);
+ if (AUTH_TIMEOUT > 0)
+ ret = MIN(AUTH_TIMEOUT, ret);
+ if (opts.keepalive_secs > 0)
+ ret = MIN(opts.keepalive_secs, ret);
+ return ret;
+}
============================================================
--- dbclient.1 b5aa55232b26b1e2aa1ac4019b29d15aed2a8077
+++ dbclient.1 272e5fd6b8d6dc6756aa1e20b84459269e31eabb
@@ -79,6 +79,13 @@ default buffer size.
Specify the per-channel receive window buffer size. Increasing this
may improve network performance at the expense of memory use. Use -h to see the
default buffer size.
+.TP
+.B \-K \fItimeout_seconds
+Ensure that traffic is transmitted at a certain interval in seconds. This is
+useful for working around firewalls or routers that drop connections after
+a certain period of inactivity. The trade-off is that a session may be
+closed if there is a temporary lapse of network connectivity. A setting
+if 0 disables keepalives.
.SH AUTHOR
Matt Johnston (matt@ucc.asn.au).
.br
============================================================
--- dropbear.8 be774ab5bf2dd1dd58653d6fff04f801d9a6c594
+++ dropbear.8 80923a60e53e39e30a041299b1d62378d0598d31
@@ -87,6 +87,13 @@ default buffer size.
Specify the per-channel receive window buffer size. Increasing this
may improve network performance at the expense of memory use. Use -h to see the
default buffer size.
+.TP
+.B \-K \fItimeout_seconds
+Ensure that traffic is transmitted at a certain interval in seconds. This is
+useful for working around firewalls or routers that drop connections after
+a certain period of inactivity. The trade-off is that a session may be
+closed if there is a temporary lapse of network connectivity. A setting
+if 0 disables keepalives.
.SH AUTHOR
Matt Johnston (matt@ucc.asn.au).
.br
============================================================
--- includes.h 7af72cca59d29e02cd3521d876f89005c6a791c6
+++ includes.h d22d2c275b22b9e97425eb18d2d705a3de55f076
@@ -56,6 +56,7 @@
#include <ctype.h>
#include <stdarg.h>
#include <dirent.h>
+#include <time.h>
#ifdef HAVE_UTMP_H
#include <utmp.h>
============================================================
--- kex.h 596a833742cc5ab88d3930e46214f19e129347f2
+++ kex.h 68c4c992e489c791d278a28f27d4c2aa611d90be
@@ -53,7 +53,7 @@ struct KEXState {
unsigned donefirstkex : 1; /* Set to 1 after the first kex has completed,
ie the transport layer has been set up */
- long lastkextime; /* time of the last kex */
+ time_t lastkextime; /* time of the last kex */
unsigned int datatrans; /* data transmitted since last kex */
unsigned int datarecv; /* data received since last kex */
============================================================
--- options.h e4d28defe9431722bbc858681d79070ed666c43d
+++ options.h 419b9b9ae9c6f2d0eb53e2ebd93a3e86f55a705c
@@ -231,6 +231,9 @@ etc) slower (perhaps by 50%). Recommende
though increasing it may not make a significant difference. */
#define TRANS_MAX_PAYLOAD_LEN 16384
+/* Ensure that data is transmitted every KEEPALIVE seconds. This can
+be overridden at runtime with -K. 0 disables keepalives */
+#define DEFAULT_KEEPALIVE 0
/*******************************************************************
* You shouldn't edit below here unless you know you need to.
@@ -287,9 +290,6 @@ etc) slower (perhaps by 50%). Recommende
#define _PATH_CP "/bin/cp"
-/* Timeouts in seconds */
-#define SELECT_TIMEOUT 20
-
/* success/failure defines */
#define DROPBEAR_SUCCESS 0
#define DROPBEAR_FAILURE -1
@@ -343,6 +343,7 @@ etc) slower (perhaps by 50%). Recommende
#define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
RECV_WINDOWEXTEND bytes */
+#define MAX_RECV_WINDOW (1024*1024) /* 1 MB should be enough */
#define MAX_CHANNELS 100 /* simple mem restriction, includes each tcp/x11
connection, so can't be _too_ small */
============================================================
--- packet.c 44903e72c3e83e405fad2b95480caa07bbd9591b
+++ packet.c 4936979cbecd00ef54c08893c8e6874f34d2e69d
@@ -71,6 +71,8 @@ void write_packet() {
dropbear_exit("error writing");
}
}
+
+ ses.last_packet_time = time(NULL);
if (written == 0) {
ses.remoteclosed();
============================================================
--- process-packet.c 6633b32f378eaa78928adbdb514cc2515f951890
+++ process-packet.c 592d68c8df9147e66af92f7c6907eca3a9cd673e
@@ -56,8 +56,8 @@ void process_packet() {
switch(type) {
case SSH_MSG_IGNORE:
+ goto out;
case SSH_MSG_DEBUG:
- TRACE(("received SSH_MSG_IGNORE or SSH_MSG_DEBUG"))
goto out;
case SSH_MSG_UNIMPLEMENTED:
============================================================
--- runopts.h e5a847e3563d6959987d9860af41c37df46b429b
+++ runopts.h 28d3dc401244b14fa52cd842c39ee9f6fe3873ba
@@ -37,6 +37,7 @@ typedef struct runopts {
int listen_fwd_all;
#endif
unsigned int recv_window;
+ time_t keepalive_secs;
} runopts;
============================================================
--- session.h cfedca9627c9f3e628b46215050ef0a136bd41c1
+++ session.h 698e52464e29293ca989ac2547c438669587337c
@@ -45,6 +45,7 @@ void session_identification();
void session_loop(void(*loophandler)());
void common_session_cleanup();
void session_identification();
+void send_msg_ignore();
/* Server */
@@ -92,8 +93,9 @@ struct sshsession {
/* Is it a client or server? */
unsigned char isserver;
- long connecttimeout; /* time to disconnect if we have a timeout (for
- userauth etc), or 0 for no timeout */
+ time_t connect_time; /* time the connection was established
+ (cleared after auth once we're not
+ respecting AUTH_TIMEOUT any more) */
int sock;
@@ -131,6 +133,9 @@ struct sshsession {
int signal_pipe[2]; /* stores endpoints of a self-pipe used for
race-free signal handling */
+
+ time_t last_packet_time; /* time of the last packet transmission, for
+ keepalive purposes */
/* KEX/encryption related */
struct KEXState kexstate;
============================================================
--- svr-auth.c dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3
+++ svr-auth.c 4d806df1e0e48b101a419330aa8858ddc770ef99
@@ -357,7 +357,7 @@ void send_msg_userauth_success() {
encrypt_packet();
ses.authstate.authdone = 1;
- ses.connecttimeout = 0;
+ ses.connect_time = 0;
if (ses.authstate.pw->pw_uid == 0) {
============================================================
--- svr-main.c 2936ec6e21ca47f22c8883258b6d7460963710e6
+++ svr-main.c ca315d545592e772311d4ce9e2dcf4d7de5fd4d1
@@ -111,7 +111,6 @@ void main_noinetd() {
#ifdef NON_INETD_MODE
void main_noinetd() {
fd_set fds;
- struct timeval seltimeout;
unsigned int i, j;
int val;
int maxsock = -1;
@@ -175,9 +174,6 @@ void main_noinetd() {
FD_ZERO(&fds);
- seltimeout.tv_sec = 60;
- seltimeout.tv_usec = 0;
-
/* listening sockets */
for (i = 0; i < listensockcount; i++) {
FD_SET(listensocks[i], &fds);
@@ -191,7 +187,7 @@ void main_noinetd() {
}
}
- val = select(maxsock+1, &fds, NULL, NULL, &seltimeout);
+ val = select(maxsock+1, &fds, NULL, NULL, NULL);
if (exitflag) {
unlink(svr_opts.pidfile);
@@ -199,7 +195,7 @@ void main_noinetd() {
}
if (val == 0) {
- /* timeout reached */
+ /* timeout reached - shouldn't happen. eh */
continue;
}
============================================================
--- svr-runopts.c d73690171591a4606a6ef2bf1190675e4d0e3dfd
+++ svr-runopts.c 4d5f8179cb0c9f5caaae528bc458971259cc8abd
@@ -80,7 +80,8 @@ static void printhelp(const char * progn
#ifdef INETD_MODE
"-i Start for inetd\n"
#endif
- "-W <receive_window_buffer> (default %d, larger may be faster)\n"
+ "-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
+ "-K <keepalive> (0 is never, default %d)\n"
#ifdef DEBUG_TRACE
"-v verbose\n"
#endif
@@ -91,7 +92,8 @@ static void printhelp(const char * progn
#ifdef DROPBEAR_RSA
RSA_PRIV_FILENAME,
#endif
- DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, DEFAULT_RECV_WINDOW);
+ DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
+ DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE);
}
void svr_getopts(int argc, char ** argv) {
@@ -99,6 +101,8 @@ void svr_getopts(int argc, char ** argv)
unsigned int i;
char ** next = 0;
int nextisport = 0;
+ char* recv_window_arg = NULL;
+ char* keepalive_arg = NULL;
/* see printhelp() for options */
svr_opts.rsakeyfile = NULL;
@@ -130,7 +134,8 @@ void svr_getopts(int argc, char ** argv)
svr_opts.usingsyslog = 1;
#endif
opts.recv_window = DEFAULT_RECV_WINDOW;
- char* recv_window_arg = NULL;
+ opts.keepalive_secs = DEFAULT_KEEPALIVE;
+
#ifdef ENABLE_SVR_REMOTETCPFWD
opts.listen_fwd_all = 0;
#endif
@@ -210,6 +215,9 @@ void svr_getopts(int argc, char ** argv)
case 'W':
next = &recv_window_arg;
break;
+ case 'K':
+ next = &keepalive_arg;
+ break;
#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
case 's':
svr_opts.noauthpass = 1;
@@ -274,14 +282,21 @@ void svr_getopts(int argc, char ** argv)
}
- if (recv_window_arg)
- {
+ if (recv_window_arg) {
opts.recv_window = atol(recv_window_arg);
- if (opts.recv_window == 0)
+ if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW)
{
dropbear_exit("Bad recv window '%s'", recv_window_arg);
}
}
+
+ if (keepalive_arg) {
+ opts.keepalive_secs = strtoul(keepalive_arg, NULL, 10);
+ if (opts.keepalive_secs == 0 && errno == EINVAL)
+ {
+ dropbear_exit("Bad keepalive '%s'", keepalive_arg);
+ }
+ }
}
static void addportandaddress(char* spec) {
============================================================
--- svr-session.c ff067fb604f593d58de6bb7c60fd28256941ed5f
+++ svr-session.c ce034997dee4480afd43fa50d4cabf228b2a3564
@@ -77,8 +77,6 @@ void svr_session(int sock, int childpipe
void svr_session(int sock, int childpipe,
char* remotehost, char *addrstring) {
- struct timeval timeout;
-
reseedrandom();
crypto_init();
@@ -91,12 +89,8 @@ void svr_session(int sock, int childpipe
chaninitialise(svr_chantypes);
svr_chansessinitialise();
- if (gettimeofday(&timeout, 0) < 0) {
- dropbear_exit("Error getting time");
- }
+ ses.connect_time = time(NULL);
- ses.connecttimeout = timeout.tv_sec + AUTH_TIMEOUT;
-
/* set up messages etc */
ses.remoteclosed = svr_remoteclosed;