Support ~R for rekey

2025-12-20 02:17:46 +08:00 · 2025-05-06 22:45:36 +08:00
parent bd12a8611b
commit 3eafae7b11
4 changed files with 14 additions and 1 deletions
--- a/manpages/dbclient.1
+++ b/manpages/dbclient.1
@@ -244,6 +244,8 @@ Typing a newline followed by the  key sequence \fI~.\fR (tilde, dot) will termin
 The sequence \fI~^Z\fR (tilde, ctrl-z) will background the connection. This behaviour only
 applies when a PTY is used.

+\fI~R\fR will perform a key re-exchange of ephemeral session keys.
+
 .SH ENVIRONMENT
 .TP
 .B DROPBEAR_PASSWORD
--- a/src/cli-chansession.c
+++ b/src/cli-chansession.c
@@ -443,6 +443,11 @@ do_escape(unsigned char c) {
 			cli_tty_setup();
 			cli_ses.winchange = 1;
 			return 1;
+		case 'R':
+			/* rekey */
+			dropbear_log(LOG_INFO, "rekey");
+			ses.kexstate.needrekey = 1;
+			return 1;
 		default:
 			return 0;
 	}
--- a/src/common-session.c
+++ b/src/common-session.c
@@ -559,8 +559,10 @@ static void checktimeouts() {

 	if (!ses.kexstate.sentkexinit
 			&& (elapsed(now, ses.kexstate.lastkextime) >= KEX_REKEY_TIMEOUT
-			|| ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)) {
+			|| ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA
+			|| ses.kexstate.needrekey)) {
 		TRACE(("rekeying after timeout or max data reached"))
+		ses.kexstate.needrekey = 0;
 		send_msg_kexinit();
 	}

@@ -612,6 +614,9 @@ static long select_timeout() {
 	if (!ses.kexstate.sentkexinit) {
 		update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout);
 	}
+	if (ses.kexstate.needrekey) {
+		timeout = 0;
+	}

 	if (ses.authstate.authdone != 1 && IS_DROPBEAR_SERVER) {
 		/* AUTH_TIMEOUT is only relevant before authdone */
--- a/src/kex.h
+++ b/src/kex.h
@@ -98,6 +98,7 @@ struct KEXState {
 	unsigned int strict_kex;

 	time_t lastkextime; /* time of the last kex */
+	unsigned int needrekey; /* manually trigger a rekey */
 	unsigned int datatrans; /* data transmitted since last kex */
 	unsigned int datarecv; /* data received since last kex */