- Add -K keepalive flag for dropbear and dbclient

- Try to reduce the frequency of select() timeouts - Add a max receive window size of 1MB --HG-- extra : convert_revision : 9aa22036cb511cddb35fbc0e09ad05acb39b64d1
2025-04-03 12:30:55 +00:00 · 2007-08-08 15:12:06 +00:00 · 2007-08-08 15:12:06 +00:00 · 75ec4d6510
commit 75ec4d6510
parent a7649c250f
16 changed files with 109 additions and 48 deletions
--- a/cli-runopts.c
+++ b/cli-runopts.c
@ -63,11 +63,14 @@ static void printhelp() {
 #ifdef ENABLE_CLI_REMOTETCPFWD
 					"-R <listenport:remotehost:remoteport> Remote port forwarding\n"
 #endif
-					"-W <receive_window_buffer> (default %d, larger may be faster)\n"
+					"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
 					"-K <keepalive>  (0 is never, default %d)\n"
 #ifdef DEBUG_TRACE
 					"-v    verbose\n"
 #endif
-					,DROPBEAR_VERSION, cli_opts.progname, DEFAULT_RECV_WINDOW);
+					,DROPBEAR_VERSION, cli_opts.progname,
 					DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE);
 }
 void cli_getopts(int argc, char ** argv) {
@ -112,6 +115,7 @@ void cli_getopts(int argc, char ** argv) {
 	*/
 	opts.recv_window = DEFAULT_RECV_WINDOW;
 	char* recv_window_arg = NULL;
 	char* keepalive_arg = NULL;
 	/* Iterate all the arguments */
 	for (i = 1; i < (unsigned int)argc; i++) {
@ -207,6 +211,9 @@ void cli_getopts(int argc, char ** argv) {
 				case 'W':
 					next = &recv_window_arg;
 					break;
 				case 'K':
 					next = &keepalive_arg;
 					break;
 #ifdef DEBUG_TRACE
 				case 'v':
 					debug_trace = 1;
@ -302,11 +309,19 @@ void cli_getopts(int argc, char ** argv) {
 	if (recv_window_arg)
 	{
 		opts.recv_window = atol(recv_window_arg);
-		if (opts.recv_window == 0)
+		if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW)
 		{
 			dropbear_exit("Bad recv window '%s'", recv_window_arg);
 		}
 	}
 	if (keepalive_arg) {
 		opts.keepalive_secs = strtoul(keepalive_arg, NULL, 10);
 		if (opts.keepalive_secs == 0 && errno == EINVAL)
 		{
 			dropbear_exit("Bad keepalive '%s'", keepalive_arg);
 		}
 	}
 }
 #ifdef ENABLE_CLI_PUBKEY_AUTH
--- a/common-kex.c
+++ b/common-kex.c
@ -188,8 +188,6 @@ void kexfirstinitialise() {
 /* Reset the kex state, ready for a new negotiation */
 static void kexinitialise() {
 	struct timeval tv;
 	TRACE(("kexinitialise()"))
 	/* sent/recv'd MSG_KEXINIT */
@ -206,10 +204,7 @@ static void kexinitialise() {
 	ses.kexstate.datatrans = 0;
 	ses.kexstate.datarecv = 0;
-	if (gettimeofday(&tv, 0) < 0) {
+	ses.kexstate.lastkextime = time(NULL);
 		dropbear_exit("Error getting time");
 	}
 	ses.kexstate.lastkextime = tv.tv_sec;
 }
--- a/common-session.c
+++ b/common-session.c
@ -34,8 +34,10 @@
 #include "kex.h"
 #include "channel.h"
 #include "atomicio.h"
 #include "runopts.h"
 static void checktimeouts();
 static long select_timeout();
 static int ident_readln(int fd, char* buf, int count);
 struct sshsession ses; /* GLOBAL */
@ -59,7 +61,8 @@ void common_session_init(int sock, char* remotehost) {
 	ses.sock = sock;
 	ses.maxfd = sock;
-	ses.connecttimeout = 0;
+	ses.connect_time = 0;
 	ses.last_packet_time = 0;
 	if (pipe(ses.signal_pipe) < 0) {
 		dropbear_exit("signal pipe failed");
@ -129,7 +132,7 @@ void session_loop(void(*loophandler)()) {
 	/* main loop, select()s for all sockets in use */
 	for(;;) {
-		timeout.tv_sec = SELECT_TIMEOUT;
+		timeout.tv_sec = select_timeout();
 		timeout.tv_usec = 0;
 		FD_ZERO(&writefd);
 		FD_ZERO(&readfd);
@ -359,20 +362,22 @@ static int ident_readln(int fd, char* buf, int count) {
 	return pos+1;
 }
 void send_msg_ignore() {
 	CHECKCLEARTOWRITE();
 	buf_putbyte(ses.writepayload, SSH_MSG_IGNORE);
 	buf_putstring(ses.writepayload, "", 0);
 	encrypt_packet();
 }
 /* Check all timeouts which are required. Currently these are the time for
 * user authentication, and the automatic rekeying. */
 static void checktimeouts() {
-	struct timeval tv;
+	time_t now;
 	long secs;
-	if (gettimeofday(&tv, 0) < 0) {
+	now = time(NULL);
 		dropbear_exit("Error getting time");
 	}
 	secs = tv.tv_sec;
-	if (ses.connecttimeout != 0 && secs > ses.connecttimeout) {
+	if (ses.connect_time != 0 && now - ses.connect_time >= AUTH_TIMEOUT) {
 			dropbear_close("Timeout before auth");
 	}
@ -382,10 +387,27 @@ static void checktimeouts() {
 	}
 	if (!ses.kexstate.sentkexinit
-			&& (secs - ses.kexstate.lastkextime >= KEX_REKEY_TIMEOUT
+			&& (now - ses.kexstate.lastkextime >= KEX_REKEY_TIMEOUT
-			|| ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)){
+			|| ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)) {
 		TRACE(("rekeying after timeout or max data reached"))
 		send_msg_kexinit();
 	}
 	if (opts.keepalive_secs > 0 
 		&& now - ses.last_packet_time >= opts.keepalive_secs) {
 		send_msg_ignore();
 	}
 }
 static long select_timeout() {
 	/* determine the minimum timeout that might be required, so
 	as to avoid waking when unneccessary */
 	long ret = LONG_MAX;
 	if (KEX_REKEY_TIMEOUT > 0)
 		ret = MIN(KEX_REKEY_TIMEOUT, ret);
 	if (AUTH_TIMEOUT > 0)
 		ret = MIN(AUTH_TIMEOUT, ret);
 	if (opts.keepalive_secs > 0)
 		ret = MIN(opts.keepalive_secs, ret);
 	return ret;
 }
--- a/dbclient.1
+++ b/dbclient.1
@ -79,6 +79,13 @@ connection will abort as normal.
 Specify the per-channel receive window buffer size. Increasing this 
 may improve network performance at the expense of memory use. Use -h to see the
 default buffer size.
 .TP
 .B \-K \fItimeout_seconds
 Ensure that traffic is transmitted at a certain interval in seconds. This is
 useful for working around firewalls or routers that drop connections after
 a certain period of inactivity. The trade-off is that a session may be
 closed if there is a temporary lapse of network connectivity. A setting
 if 0 disables keepalives.
 .SH AUTHOR
 Matt Johnston (matt@ucc.asn.au).
 .br
--- a/dropbear.8
+++ b/dropbear.8
@ -87,6 +87,13 @@ Allow remote hosts to connect to forwarded ports.
 Specify the per-channel receive window buffer size. Increasing this 
 may improve network performance at the expense of memory use. Use -h to see the
 default buffer size.
 .TP
 .B \-K \fItimeout_seconds
 Ensure that traffic is transmitted at a certain interval in seconds. This is
 useful for working around firewalls or routers that drop connections after
 a certain period of inactivity. The trade-off is that a session may be
 closed if there is a temporary lapse of network connectivity. A setting
 if 0 disables keepalives.
 .SH AUTHOR
 Matt Johnston (matt@ucc.asn.au).
 .br
--- a/includes.h
+++ b/includes.h
@ -56,6 +56,7 @@
 #include <ctype.h>
 #include <stdarg.h>
 #include <dirent.h>
 #include <time.h>
 #ifdef HAVE_UTMP_H
 #include <utmp.h>
--- a/kex.h
+++ b/kex.h
@ -53,7 +53,7 @@ struct KEXState {
 	unsigned donefirstkex : 1; /* Set to 1 after the first kex has completed,
 								  ie the transport layer has been set up */
-	long lastkextime; /* time of the last kex */
+	time_t lastkextime; /* time of the last kex */
 	unsigned int datatrans; /* data transmitted since last kex */
 	unsigned int datarecv; /* data received since last kex */
--- a/options.h
+++ b/options.h
@ -231,6 +231,9 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
   though increasing it may not make a significant difference. */
 #define TRANS_MAX_PAYLOAD_LEN 16384
 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
 be overridden at runtime with -K. 0 disables keepalives */
 #define DEFAULT_KEEPALIVE 0
 /*******************************************************************
 * You shouldn't edit below here unless you know you need to.
@ -287,9 +290,6 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 #define _PATH_CP "/bin/cp"
 /* Timeouts in seconds */
 #define SELECT_TIMEOUT 20
 /* success/failure defines */
 #define DROPBEAR_SUCCESS 0
 #define DROPBEAR_FAILURE -1
@ -343,6 +343,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
 								RECV_WINDOWEXTEND bytes */
 #define MAX_RECV_WINDOW (1024*1024) /* 1 MB should be enough */
 #define MAX_CHANNELS 100 /* simple mem restriction, includes each tcp/x11
 							connection, so can't be _too_ small */
--- a/packet.c
+++ b/packet.c
@ -71,6 +71,8 @@ void write_packet() {
 			dropbear_exit("error writing");
 		}
 	} 
 	ses.last_packet_time = time(NULL);
 	if (written == 0) {
 		ses.remoteclosed();
--- a/process-packet.c
+++ b/process-packet.c
@ -56,8 +56,8 @@ void process_packet() {
 	switch(type) {
 		case SSH_MSG_IGNORE:
 			goto out;
 		case SSH_MSG_DEBUG:
 			TRACE(("received SSH_MSG_IGNORE or SSH_MSG_DEBUG"))
 			goto out;
 		case SSH_MSG_UNIMPLEMENTED:
--- a/runopts.h
+++ b/runopts.h
@ -37,6 +37,7 @@ typedef struct runopts {
 	int listen_fwd_all;
 #endif
 	unsigned int recv_window;
 	time_t keepalive_secs;
 } runopts;
--- a/session.h
+++ b/session.h
@ -45,6 +45,7 @@ void common_session_init(int sock, char* remotehost);
 void session_loop(void(*loophandler)());
 void common_session_cleanup();
 void session_identification();
 void send_msg_ignore();
 /* Server */
@ -92,8 +93,9 @@ struct sshsession {
 	/* Is it a client or server? */
 	unsigned char isserver;
-	long connecttimeout; /* time to disconnect if we have a timeout (for
+	time_t connect_time; /* time the connection was established
-							userauth etc), or 0 for no timeout */
+							(cleared after auth once we're not
 							respecting AUTH_TIMEOUT any more) */
 	int sock;
@ -131,6 +133,9 @@ struct sshsession {
    int signal_pipe[2]; /* stores endpoints of a self-pipe used for
 						   race-free signal handling */
 	time_t last_packet_time; /* time of the last packet transmission, for
 							keepalive purposes */
 	/* KEX/encryption related */
 	struct KEXState kexstate;
--- a/svr-auth.c
+++ b/svr-auth.c
@ -357,7 +357,7 @@ void send_msg_userauth_success() {
 	encrypt_packet();
 	ses.authstate.authdone = 1;
-	ses.connecttimeout = 0;
+	ses.connect_time = 0;
 	if (ses.authstate.pw->pw_uid == 0) {
--- a/svr-main.c
+++ b/svr-main.c
@ -111,7 +111,6 @@ static void main_inetd() {
 #ifdef NON_INETD_MODE
 void main_noinetd() {
 	fd_set fds;
 	struct timeval seltimeout;
 	unsigned int i, j;
 	int val;
 	int maxsock = -1;
@ -175,9 +174,6 @@ void main_noinetd() {
 		FD_ZERO(&fds);
 		seltimeout.tv_sec = 60;
 		seltimeout.tv_usec = 0;
 		/* listening sockets */
 		for (i = 0; i < listensockcount; i++) {
 			FD_SET(listensocks[i], &fds);
@ -191,7 +187,7 @@ void main_noinetd() {
 			}
 		}
-		val = select(maxsock+1, &fds, NULL, NULL, &seltimeout);
+		val = select(maxsock+1, &fds, NULL, NULL, NULL);
 		if (exitflag) {
 			unlink(svr_opts.pidfile);
@ -199,7 +195,7 @@ void main_noinetd() {
 		}
 		if (val == 0) {
-			/* timeout reached */
+			/* timeout reached - shouldn't happen. eh */
 			continue;
 		}
--- a/svr-runopts.c
+++ b/svr-runopts.c
@ -80,7 +80,8 @@ static void printhelp(const char * progname) {
 #ifdef INETD_MODE
 					"-i		Start for inetd\n"
 #endif
-					"-W <receive_window_buffer> (default %d, larger may be faster)\n"
+					"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
 					"-K <keepalive>  (0 is never, default %d)\n"
 #ifdef DEBUG_TRACE
 					"-v		verbose\n"
 #endif
@ -91,7 +92,8 @@ static void printhelp(const char * progname) {
 #ifdef DROPBEAR_RSA
 					RSA_PRIV_FILENAME,
 #endif
-					DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, DEFAULT_RECV_WINDOW);
+					DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
 					DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE);
 }
 void svr_getopts(int argc, char ** argv) {
@ -99,6 +101,8 @@ void svr_getopts(int argc, char ** argv) {
 	unsigned int i;
 	char ** next = 0;
 	int nextisport = 0;
 	char* recv_window_arg = NULL;
 	char* keepalive_arg = NULL;
 	/* see printhelp() for options */
 	svr_opts.rsakeyfile = NULL;
@ -130,7 +134,8 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.usingsyslog = 1;
 #endif
 	opts.recv_window = DEFAULT_RECV_WINDOW;
-	char* recv_window_arg = NULL;
+	opts.keepalive_secs = DEFAULT_KEEPALIVE;	
 #ifdef ENABLE_SVR_REMOTETCPFWD
 	opts.listen_fwd_all = 0;
 #endif
@ -210,6 +215,9 @@ void svr_getopts(int argc, char ** argv) {
 				case 'W':
 					next = &recv_window_arg;
 					break;
 				case 'K':
 					next = &keepalive_arg;
 					break;
 #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
 				case 's':
 					svr_opts.noauthpass = 1;
@ -274,14 +282,21 @@ void svr_getopts(int argc, char ** argv) {
 	}
-	if (recv_window_arg)
+	if (recv_window_arg) {
 	{
 		opts.recv_window = atol(recv_window_arg);
-		if (opts.recv_window == 0)
+		if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW)
 		{
 			dropbear_exit("Bad recv window '%s'", recv_window_arg);
 		}
 	}
 	if (keepalive_arg) {
 		opts.keepalive_secs = strtoul(keepalive_arg, NULL, 10);
 		if (opts.keepalive_secs == 0 && errno == EINVAL)
 		{
 			dropbear_exit("Bad keepalive '%s'", keepalive_arg);
 		}
 	}
 }
 static void addportandaddress(char* spec) {
--- a/svr-session.c
+++ b/svr-session.c
@ -77,8 +77,6 @@ static const struct ChanType *svr_chantypes[] = {
 void svr_session(int sock, int childpipe, 
 		char* remotehost, char *addrstring) {
 	struct timeval timeout;
    reseedrandom();
 	crypto_init();
@ -91,11 +89,7 @@ void svr_session(int sock, int childpipe,
 	chaninitialise(svr_chantypes);
 	svr_chansessinitialise();
-	if (gettimeofday(&timeout, 0) < 0) {
+	ses.connect_time = time(NULL);
 		dropbear_exit("Error getting time");
 	}
 	ses.connecttimeout = timeout.tv_sec + AUTH_TIMEOUT;
 	/* set up messages etc */
 	ses.remoteclosed = svr_remoteclosed;