upstream: split PerSourcePenalties address tracking. Previously it

used one shared table and overflow policy for IPv4 and IPv6 addresses, now it will use separate tables and optionally different overflow policies. This prevents misbehaviour from IPv6 addresses (which are vastly easier to obtain many of) from affecting IPv4 connections and may allow for stricter overflow policies. ok deraadt@ OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
openssh · Jun 12, 2024 · 4de80ff · 4de80ff
1 parent 06ab4c6
commit 4de80ff
Show file tree

Hide file tree

Showing 4 changed files with 165 additions and 75 deletions.
diff --git a/servconf.c b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.410 2024/06/11 00:36:20 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.411 2024/06/12 22:36:00 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
  *                    All rights reserved
@@ -165,8 +165,10 @@ initialize_server_options(ServerOptions *options)
 	options->per_source_masklen_ipv6 = -1;
 	options->per_source_penalty_exempt = NULL;
 	options->per_source_penalty.enabled = -1;
-	options->per_source_penalty.max_sources = -1;
+	options->per_source_penalty.max_sources4 = -1;
+	options->per_source_penalty.max_sources6 = -1;
 	options->per_source_penalty.overflow_mode = -1;
+	options->per_source_penalty.overflow_mode6 = -1;
 	options->per_source_penalty.penalty_crash = -1;
 	options->per_source_penalty.penalty_authfail = -1;
 	options->per_source_penalty.penalty_noauth = -1;
@@ -414,10 +416,14 @@ fill_default_server_options(ServerOptions *options)
 		options->per_source_masklen_ipv6 = 128;
 	if (options->per_source_penalty.enabled == -1)
 		options->per_source_penalty.enabled = 1;
-	if (options->per_source_penalty.max_sources == -1)
-		options->per_source_penalty.max_sources = 65536;
+	if (options->per_source_penalty.max_sources4 == -1)
+		options->per_source_penalty.max_sources4 = 65536;
+	if (options->per_source_penalty.max_sources6 == -1)
+		options->per_source_penalty.max_sources6 = 65536;
 	if (options->per_source_penalty.overflow_mode == -1)
 		options->per_source_penalty.overflow_mode = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE;
+	if (options->per_source_penalty.overflow_mode6 == -1)
+		options->per_source_penalty.overflow_mode6 = options->per_source_penalty.overflow_mode;
 	if (options->per_source_penalty.penalty_crash == -1)
 		options->per_source_penalty.penalty_crash = 90;
 	if (options->per_source_penalty.penalty_grace == -1)
@@ -2028,9 +2034,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 			} else if (strncmp(arg, "min:", 4) == 0) {
 				p = arg + 4;
 				intptr = &options->per_source_penalty.penalty_min;
-			} else if (strncmp(arg, "max-sources:", 12) == 0) {
-				intptr = &options->per_source_penalty.max_sources;
-				if ((errstr = atoi_err(arg+12, &value)) != NULL)
+			} else if (strncmp(arg, "max-sources4:", 13) == 0) {
+				intptr = &options->per_source_penalty.max_sources4;
+				if ((errstr = atoi_err(arg+13, &value)) != NULL)
+					fatal("%s line %d: %s value %s.",
+					    filename, linenum, keyword, errstr);
+			} else if (strncmp(arg, "max-sources6:", 13) == 0) {
+				intptr = &options->per_source_penalty.max_sources6;
+				if ((errstr = atoi_err(arg+13, &value)) != NULL)
 					fatal("%s line %d: %s value %s.",
 					    filename, linenum, keyword, errstr);
 			} else if (strcmp(arg, "overflow:deny-all") == 0) {
@@ -2039,6 +2050,12 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 			} else if (strcmp(arg, "overflow:permissive") == 0) {
 				intptr = &options->per_source_penalty.overflow_mode;
 				value = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE;
+			} else if (strcmp(arg, "overflow6:deny-all") == 0) {
+				intptr = &options->per_source_penalty.overflow_mode6;
+				value = PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL;
+			} else if (strcmp(arg, "overflow6:permissive") == 0) {
+				intptr = &options->per_source_penalty.overflow_mode6;
+				value = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE;
 			} else {
 				fatal("%s line %d: unsupported %s keyword %s",
 				    filename, linenum, keyword, arg);
@@ -3288,16 +3305,21 @@ dump_config(ServerOptions *o)
 
 	if (o->per_source_penalty.enabled) {
 		printf("persourcepenalties crash:%d authfail:%d noauth:%d "
-		    "grace-exceeded:%d max:%d min:%d max-sources:%d "
-		    "overflow:%s\n", o->per_source_penalty.penalty_crash,
+		    "grace-exceeded:%d max:%d min:%d max-sources4:%d "
+		    "max-sources6:%d overflow:%s overflow6:%s\n",
+		    o->per_source_penalty.penalty_crash,
 		    o->per_source_penalty.penalty_authfail,
 		    o->per_source_penalty.penalty_noauth,
 		    o->per_source_penalty.penalty_grace,
 		    o->per_source_penalty.penalty_max,
 		    o->per_source_penalty.penalty_min,
-		    o->per_source_penalty.max_sources,
+		    o->per_source_penalty.max_sources4,
+		    o->per_source_penalty.max_sources6,
 		    o->per_source_penalty.overflow_mode ==
 		    PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL ?
+		    "deny-all" : "permissive",
+		    o->per_source_penalty.overflow_mode6 ==
+		    PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL ?
 		    "deny-all" : "permissive");
 	} else
 		printf("persourcepenalties no\n");

diff --git a/servconf.h b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.164 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <[email protected]>
@@ -69,8 +69,10 @@ struct listenaddr {
 #define PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE	2
 struct per_source_penalty {
 	int	enabled;
-	int	max_sources;
+	int	max_sources4;
+	int	max_sources6;
 	int	overflow_mode;
+	int	overflow_mode6;
 	int	penalty_crash;
 	int	penalty_grace;
 	int	penalty_authfail;