From c51b3b208c228fe6482ef00b3572a19683e7bb98 Mon Sep 17 00:00:00 2001 From: "Dwayne C. Litzenberger" Date: Sat, 24 Mar 2012 10:47:16 -0400 Subject: [PATCH] Fix SSHException when re-keying over a fast connection When Paramiko initiates a re-key request over a high-bandwidth, medium-latency connection, it erroneously terminates the connection with the error, "SSHException: Remote transport is ignoring rekey requests". This is due to the hard-coded limit of 20 packets that may be received after a re-key request has been sent. See, for example, this bug report: "Transfer fails at 1GB: rekey window too small, hard-coded" https://github.com/paramiko/paramiko/issues/49 This patch changes paramiko's behaviour as follows: - Decrease the threshold for starting re-keying from 2**30 to 2**29 bytes. - Decrease the threshold for starting re-keying from 2**30 to 2**29 packets. - Increase the limit of received packets between re-key request & completion from 20 packets to 2**29 packets. - Add a limit of 2**29 received bytes between re-key request & completion. In other words, we re-key more often in order to allow more data to be in-transit during re-keying. NOTE: It looks like Paramiko disables the keep-alive mechanism during re-keying. This patch does not change that behaviour. --- paramiko/packet.py | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/paramiko/packet.py b/paramiko/packet.py index 391c5d5..2f6d692 100644 --- a/paramiko/packet.py +++ b/paramiko/packet.py @@ -57,8 +57,11 @@ class Packetizer (object): # READ the secsh RFC's before raising these values. if anything, # they should probably be lower. - REKEY_PACKETS = pow(2, 30) - REKEY_BYTES = pow(2, 30) + REKEY_PACKETS = pow(2, 29) + REKEY_BYTES = pow(2, 29) + + REKEY_PACKETS_OVERFLOW_MAX = pow(2,29) # Allow receiving this many packets after a re-key request before terminating + REKEY_BYTES_OVERFLOW_MAX = pow(2,29) # Allow receiving this many bytes after a re-key request before terminating def __init__(self, socket): self.__socket = socket @@ -74,6 +77,7 @@ class Packetizer (object): self.__sent_packets = 0 self.__received_bytes = 0 self.__received_packets = 0 + self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 # current inbound/outbound ciphering: @@ -134,6 +138,7 @@ class Packetizer (object): self.__mac_key_in = mac_key self.__received_bytes = 0 self.__received_packets = 0 + self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 # wait until the reset happens in both directions before clearing rekey flag self.__init_count |= 2 @@ -316,6 +321,7 @@ class Packetizer (object): # only ask once for rekeying self._log(DEBUG, 'Rekeying (hit %d packets, %d bytes sent)' % (self.__sent_packets, self.__sent_bytes)) + self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 self._trigger_rekey() finally: @@ -368,19 +374,23 @@ class Packetizer (object): self.__sequence_number_in = (self.__sequence_number_in + 1) & 0xffffffffL # check for rekey - self.__received_bytes += packet_size + self.__mac_size_in + 4 + raw_packet_size = packet_size + self.__mac_size_in + 4 + self.__received_bytes += raw_packet_size self.__received_packets += 1 if self.__need_rekey: - # we've asked to rekey -- give them 20 packets to comply before + # we've asked to rekey -- give them some packets to comply before # dropping the connection + self.__received_bytes_overflow += raw_packet_size self.__received_packets_overflow += 1 - if self.__received_packets_overflow >= 20: + if (self.__received_packets_overflow >= self.REKEY_PACKETS_OVERFLOW_MAX) or \ + (self.__received_bytes_overflow >= self.REKEY_BYTES_OVERFLOW_MAX): raise SSHException('Remote transport is ignoring rekey requests') elif (self.__received_packets >= self.REKEY_PACKETS) or \ (self.__received_bytes >= self.REKEY_BYTES): # only ask once for rekeying self._log(DEBUG, 'Rekeying (hit %d packets, %d bytes received)' % (self.__received_packets, self.__received_bytes)) + self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 self._trigger_rekey()