6679747 ssh disconnects with error if rc4, 3des or blowfish is used and default RekeyLimit is reached

5 files changed, 61 insertions, 18 deletions

diff --git a/usr/src/cmd/ssh/include/altprivsep.h b/usr/src/cmd/ssh/include/altprivsep.h
index fbb7ca9910..aa2d32417e 100644
--- a/usr/src/cmd/ssh/include/altprivsep.h
+++ b/usr/src/cmd/ssh/include/altprivsep.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -19,7 +18,7 @@
  *
  * CDDL HEADER END
  *
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -40,6 +39,7 @@ extern "C" {
 #define	APS_MSG_NEWKEYS_REP	1
 #define	APS_MSG_RECORD_LOGIN	2
 #define	APS_MSG_RECORD_LOGOUT	3
+#define	APS_MSG_START_REKEX	4
 
 pid_t	altprivsep_start_monitor(Authctxt *authctxt);
 
@@ -55,10 +55,11 @@ void	altprivsep_rekey(int type, u_int32_t seq, void *ctxt);
 void	altprivsep_shutdown_sock(void *arg);
 
 /* Calls _to_ monitor from unprivileged process */
-void	altprivsep_process_input(Kex *kex, fd_set *rset);
+void	altprivsep_process_input(fd_set *rset);
 void	altprivsep_get_newkeys(enum kex_modes mode);
 void	altprivsep_record_login(pid_t pid, const char *ttyname);
 void	altprivsep_record_logout(pid_t pid);
+void	altprivsep_start_rekex(void);
 
 /* Functions for use in the monitor */
 void	aps_input_altpriv_msg(int type, u_int32_t seq, void *ctxt);
diff --git a/usr/src/cmd/ssh/libssh/common/packet.c b/usr/src/cmd/ssh/libssh/common/packet.c
index 985666a576..51b4183cca 100644
--- a/usr/src/cmd/ssh/libssh/common/packet.c
+++ b/usr/src/cmd/ssh/libssh/common/packet.c
@@ -36,7 +36,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -557,7 +557,8 @@ set_newkeys(int mode)
 		max_blocks = &max_blocks_in;
 	}
 	if (newkeys[mode] != NULL) {
-		debug("set_newkeys: rekeying");
+		debug("set_newkeys: setting new keys for '%s' mode",
+		    mode == MODE_IN ? "in" : "out");
 		cipher_cleanup(cc);
 		free_keys(newkeys[mode]);
 	}
diff --git a/usr/src/cmd/ssh/ssh/clientloop.c b/usr/src/cmd/ssh/ssh/clientloop.c
index 5929b7b6e0..12487a6cbb 100644
--- a/usr/src/cmd/ssh/ssh/clientloop.c
+++ b/usr/src/cmd/ssh/ssh/clientloop.c
@@ -1,8 +1,4 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-/*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -62,6 +58,11 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #include "includes.h"
 RCSID("$OpenBSD: clientloop.c,v 1.104 2002/08/22 19:38:42 stevesk Exp $");
 
@@ -1177,7 +1178,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 		if (!rekeying) {
 			channel_after_select(readset, writeset);
 			if (need_rekeying || packet_need_rekeying()) {
-				debug("need rekeying");
+				debug("rekey limit reached, need rekeying");
 				xxx_kex->done = 0;
 				kex_send_kexinit(xxx_kex);
 				need_rekeying = 0;
diff --git a/usr/src/cmd/ssh/sshd/altprivsep.c b/usr/src/cmd/ssh/sshd/altprivsep.c
index c2c0a17e8b..4fa1a4850b 100644
--- a/usr/src/cmd/ssh/sshd/altprivsep.c
+++ b/usr/src/cmd/ssh/sshd/altprivsep.c
@@ -18,7 +18,7 @@
  *
  * CDDL HEADER END
  *
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -167,6 +167,7 @@ static Authctxt *xxx_authctxt;
 extern void aps_monitor_loop(Authctxt *authctxt, int pipe, pid_t child_pid);
 static void aps_record_login(void);
 static void aps_record_logout(void);
+static void aps_start_rekex(void);
 
 /* Altprivsep packet utilities for communication with the monitor */
 static void	altprivsep_packet_start(u_char);
@@ -314,7 +315,7 @@ altprivsep_rekey(int type, u_int32_t seq, void *ctxt)
 }
 
 void
-altprivsep_process_input(Kex *kex, fd_set *rset)
+altprivsep_process_input(fd_set *rset)
 {
 	void	*data;
 	int	 type;
@@ -521,6 +522,15 @@ altprivsep_record_logout(pid_t pid)
 	altprivsep_packet_read_expect(SSH2_PRIV_MSG_ALTPRIVSEP);
 }
 
+void
+altprivsep_start_rekex(void)
+{
+	altprivsep_packet_start(SSH2_PRIV_MSG_ALTPRIVSEP);
+	altprivsep_packet_put_char(APS_MSG_START_REKEX);
+	altprivsep_packet_send();
+	altprivsep_packet_read_expect(SSH2_PRIV_MSG_ALTPRIVSEP);
+}
+
 static void aps_send_newkeys(void);
 
 /* Monitor side dispatch handler for SSH2_PRIV_MSG_ALTPRIVSEP */
@@ -542,6 +552,9 @@ aps_input_altpriv_msg(int type, u_int32_t seq, void *ctxt)
 	case APS_MSG_RECORD_LOGOUT:
 		aps_record_logout();
 		break;
+	case APS_MSG_START_REKEX:
+		aps_start_rekex();
+		break;
 	default:
 		break;
 	}
@@ -667,6 +680,31 @@ aps_record_logout(void)
 	packet_send();
 }
 
+static
+void
+aps_start_rekex(void)
+{
+	/*
+	 * Send confirmation. We could implement it without that but it doesn't
+	 * bring any harm to do that and we are consistent with other subtypes
+	 * of our private SSH2_PRIV_MSG_ALTPRIVSEP message type.
+	 */
+	packet_start(SSH2_PRIV_MSG_ALTPRIVSEP);
+	packet_send();
+
+	/*
+	 * KEX_INIT message could be the one that reached the limit. In that
+	 * case, it was already forwarded to us from the unnprivileged child,
+	 * and maybe even acted upon. Obviously we must not send another
+	 * KEX_INIT message.
+	 */
+	if (!(xxx_kex->flags & KEX_INIT_SENT))
+		kex_send_kexinit(xxx_kex);
+	else
+		debug2("rekeying already in progress");
+}
+
+
 /* Utilities for communication with the monitor */
 static
 void
diff --git a/usr/src/cmd/ssh/sshd/serverloop.c b/usr/src/cmd/ssh/sshd/serverloop.c
index e7e7711f81..185c5cbcb8 100644
--- a/usr/src/cmd/ssh/sshd/serverloop.c
+++ b/usr/src/cmd/ssh/sshd/serverloop.c
@@ -34,7 +34,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -956,14 +956,16 @@ server_loop2(Authctxt *authctxt)
 		if (!rekeying) {
 			channel_after_select(readset, writeset);
 			if (packet_need_rekeying()) {
-				debug("need rekeying");
+				debug("rekey limit reached, need rekeying");
 				xxx_kex->done = 0;
-				kex_send_kexinit(xxx_kex);
+				debug("poking the monitor to start "
+				    "key re-exchange");
+				altprivsep_start_rekex();
 			}
 		}
 #ifdef ALTPRIVSEP
 		else
-			altprivsep_process_input(xxx_kex, readset);
+			altprivsep_process_input(readset);
 #endif /* ALTPRIVSEP */
 
 		process_input(readset);