summaryrefslogtreecommitdiff
path: root/paramiko/packet.py
diff options
context:
space:
mode:
Diffstat (limited to 'paramiko/packet.py')
-rw-r--r--paramiko/packet.py52
1 files changed, 36 insertions, 16 deletions
diff --git a/paramiko/packet.py b/paramiko/packet.py
index 391c5d5..38a6d4b 100644
--- a/paramiko/packet.py
+++ b/paramiko/packet.py
@@ -29,7 +29,7 @@ import time
from paramiko.common import *
from paramiko import util
-from paramiko.ssh_exception import SSHException
+from paramiko.ssh_exception import SSHException, ProxyCommandFailure
from paramiko.message import Message
@@ -57,8 +57,11 @@ class Packetizer (object):
# READ the secsh RFC's before raising these values. if anything,
# they should probably be lower.
- REKEY_PACKETS = pow(2, 30)
- REKEY_BYTES = pow(2, 30)
+ REKEY_PACKETS = pow(2, 29)
+ REKEY_BYTES = pow(2, 29)
+
+ REKEY_PACKETS_OVERFLOW_MAX = pow(2,29) # Allow receiving this many packets after a re-key request before terminating
+ REKEY_BYTES_OVERFLOW_MAX = pow(2,29) # Allow receiving this many bytes after a re-key request before terminating
def __init__(self, socket):
self.__socket = socket
@@ -74,6 +77,7 @@ class Packetizer (object):
self.__sent_packets = 0
self.__received_bytes = 0
self.__received_packets = 0
+ self.__received_bytes_overflow = 0
self.__received_packets_overflow = 0
# current inbound/outbound ciphering:
@@ -83,6 +87,7 @@ class Packetizer (object):
self.__mac_size_in = 0
self.__block_engine_out = None
self.__block_engine_in = None
+ self.__sdctr_out = False
self.__mac_engine_out = None
self.__mac_engine_in = None
self.__mac_key_out = ''
@@ -106,11 +111,12 @@ class Packetizer (object):
"""
self.__logger = log
- def set_outbound_cipher(self, block_engine, block_size, mac_engine, mac_size, mac_key):
+ def set_outbound_cipher(self, block_engine, block_size, mac_engine, mac_size, mac_key, sdctr=False):
"""
Switch outbound data cipher.
"""
self.__block_engine_out = block_engine
+ self.__sdctr_out = sdctr
self.__block_size_out = block_size
self.__mac_engine_out = mac_engine
self.__mac_size_out = mac_size
@@ -134,6 +140,7 @@ class Packetizer (object):
self.__mac_key_in = mac_key
self.__received_bytes = 0
self.__received_packets = 0
+ self.__received_bytes_overflow = 0
self.__received_packets_overflow = 0
# wait until the reset happens in both directions before clearing rekey flag
self.__init_count |= 2
@@ -236,23 +243,25 @@ class Packetizer (object):
def write_all(self, out):
self.__keepalive_last = time.time()
while len(out) > 0:
- got_timeout = False
+ retry_write = False
try:
n = self.__socket.send(out)
except socket.timeout:
- got_timeout = True
+ retry_write = True
except socket.error, e:
if (type(e.args) is tuple) and (len(e.args) > 0) and (e.args[0] == errno.EAGAIN):
- got_timeout = True
+ retry_write = True
elif (type(e.args) is tuple) and (len(e.args) > 0) and (e.args[0] == errno.EINTR):
# syscall interrupted; try again
- pass
+ retry_write = True
else:
n = -1
+ except ProxyCommandFailure:
+ raise # so it doesn't get swallowed by the below catchall
except Exception:
# could be: (32, 'Broken pipe')
n = -1
- if got_timeout:
+ if retry_write:
n = 0
if self.__closed:
n = -1
@@ -316,6 +325,7 @@ class Packetizer (object):
# only ask once for rekeying
self._log(DEBUG, 'Rekeying (hit %d packets, %d bytes sent)' %
(self.__sent_packets, self.__sent_bytes))
+ self.__received_bytes_overflow = 0
self.__received_packets_overflow = 0
self._trigger_rekey()
finally:
@@ -368,19 +378,23 @@ class Packetizer (object):
self.__sequence_number_in = (self.__sequence_number_in + 1) & 0xffffffffL
# check for rekey
- self.__received_bytes += packet_size + self.__mac_size_in + 4
+ raw_packet_size = packet_size + self.__mac_size_in + 4
+ self.__received_bytes += raw_packet_size
self.__received_packets += 1
if self.__need_rekey:
- # we've asked to rekey -- give them 20 packets to comply before
+ # we've asked to rekey -- give them some packets to comply before
# dropping the connection
+ self.__received_bytes_overflow += raw_packet_size
self.__received_packets_overflow += 1
- if self.__received_packets_overflow >= 20:
+ if (self.__received_packets_overflow >= self.REKEY_PACKETS_OVERFLOW_MAX) or \
+ (self.__received_bytes_overflow >= self.REKEY_BYTES_OVERFLOW_MAX):
raise SSHException('Remote transport is ignoring rekey requests')
elif (self.__received_packets >= self.REKEY_PACKETS) or \
(self.__received_bytes >= self.REKEY_BYTES):
# only ask once for rekeying
self._log(DEBUG, 'Rekeying (hit %d packets, %d bytes received)' %
(self.__received_packets, self.__received_bytes))
+ self.__received_bytes_overflow = 0
self.__received_packets_overflow = 0
self._trigger_rekey()
@@ -459,6 +473,12 @@ class Packetizer (object):
break
except socket.timeout:
pass
+ except EnvironmentError, e:
+ if ((type(e.args) is tuple) and (len(e.args) > 0) and
+ (e.args[0] == errno.EINTR)):
+ pass
+ else:
+ raise
if self.__closed:
raise EOFError()
now = time.time()
@@ -472,12 +492,12 @@ class Packetizer (object):
padding = 3 + bsize - ((len(payload) + 8) % bsize)
packet = struct.pack('>IB', len(payload) + padding + 1, padding)
packet += payload
- if self.__block_engine_out is not None:
- packet += rng.read(padding)
- else:
- # cute trick i caught openssh doing: if we're not encrypting,
+ if self.__sdctr_out or self.__block_engine_out is None:
+ # cute trick i caught openssh doing: if we're not encrypting or SDCTR mode (RFC4344),
# don't waste random bytes for the padding
packet += (chr(0) * padding)
+ else:
+ packet += rng.read(padding)
return packet
def _trigger_rekey(self):
generated by cgit v1.2.3 (git 2.45.0) at 2024-11-24 06:17:49 +0000