- markus@cvs.openbsd.org 2001/11/07 16:03:17
[packet.c packet.h sshconnect2.c]
pad using the padding field from the ssh2 packet instead of sending
extra ignore messages. tested against several other ssh servers.
diff --git a/ChangeLog b/ChangeLog
index 17dd911..986c872 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,10 @@
- markus@cvs.openbsd.org 2001/10/30 20:29:09
[ssh.1]
ssh.1
+ - markus@cvs.openbsd.org 2001/11/07 16:03:17
+ [packet.c packet.h sshconnect2.c]
+ pad using the padding field from the ssh2 packet instead of sending
+ extra ignore messages. tested against several other ssh servers.
20011109
- (stevesk) auth-pam.c: use do_pam_authenticate(PAM_DISALLOW_NULL_AUTHTOK)
@@ -6832,4 +6836,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1641 2001/11/12 00:02:25 djm Exp $
+$Id: ChangeLog,v 1.1642 2001/11/12 00:02:52 djm Exp $
diff --git a/packet.c b/packet.c
index 95a7218..f34593f 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.70 2001/09/27 11:59:37 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.71 2001/11/07 16:03:17 markus Exp $");
#include "xmalloc.h"
#include "buffer.h"
@@ -115,6 +115,9 @@
/* Session key information for Encryption and MAC */
Newkeys *newkeys[MODE_MAX];
+/* roundup current message to extra_pad bytes */
+static u_char extra_pad = 0;
+
/*
* Sets the descriptors used for communication. Disables encryption until
* packet_set_encryption_key is called.
@@ -485,9 +488,10 @@
{
static u_int32_t seqnr = 0;
u_char type, *ucp, *macbuf = NULL;
+ u_char padlen, pad;
char *cp;
u_int packet_length = 0;
- u_int i, padlen, len;
+ u_int i, len;
u_int32_t rand = 0;
Enc *enc = NULL;
Mac *mac = NULL;
@@ -533,6 +537,15 @@
padlen = block_size - (len % block_size);
if (padlen < 4)
padlen += block_size;
+ if (extra_pad) {
+ /* will wrap if extra_pad+padlen > 255 */
+ extra_pad = roundup(extra_pad, block_size);
+ pad = extra_pad - ((len + padlen) % extra_pad);
+ debug("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
+ pad, len, padlen, extra_pad);
+ padlen += pad;
+ extra_pad = 0;
+ }
buffer_append_space(&outgoing_packet, &cp, padlen);
if (enc && enc->cipher->number != SSH_CIPHER_NONE) {
/* random padding */
@@ -1109,6 +1122,7 @@
else
fatal("Write failed: %.100s", strerror(errno));
}
+debug("packet_write_poll: sent %d bytes", len);
buffer_consume(&output, len);
}
}
@@ -1238,6 +1252,13 @@
return s;
}
+/* roundup current message to pad bytes */
+void
+packet_add_padding(u_char pad)
+{
+ extra_pad = pad;
+}
+
/*
* 9.2. Ignored Data Message
*
@@ -1249,41 +1270,6 @@
* required to send them. This message can be used as an additional
* protection measure against advanced traffic analysis techniques.
*/
-/* size of current + ignore message should be n*sumlen bytes (w/o mac) */
-void
-packet_inject_ignore(int sumlen)
-{
- int blocksize, padlen, have, need, nb, mini, nbytes;
- Enc *enc = NULL;
-
- if (compat20 == 0)
- return;
-
- have = buffer_len(&outgoing_packet);
- debug2("packet_inject_ignore: current %d", have);
- if (newkeys[MODE_OUT] != NULL)
- enc = &newkeys[MODE_OUT]->enc;
- blocksize = enc ? enc->cipher->block_size : 8;
- padlen = blocksize - (have % blocksize);
- if (padlen < 4)
- padlen += blocksize;
- have += padlen;
- have /= blocksize; /* # of blocks for current message */
-
- nb = roundup(sumlen, blocksize) / blocksize; /* blocks for both */
- mini = roundup(5+1+4+4, blocksize) / blocksize; /* minsize ignore msg */
- need = nb - (have % nb); /* blocks for ignore */
- if (need <= mini)
- need += nb;
- nbytes = (need - mini) * blocksize; /* size of ignore payload */
- debug2("packet_inject_ignore: block %d have %d nb %d mini %d need %d",
- blocksize, have, nb, mini, need);
-
- /* enqueue current message and append a ignore message */
- packet_send();
- packet_send_ignore(nbytes);
-}
-
void
packet_send_ignore(int nbytes)
{
diff --git a/packet.h b/packet.h
index ffae736..d547300 100644
--- a/packet.h
+++ b/packet.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: packet.h,v 1.25 2001/06/26 17:27:24 markus Exp $"); */
+/* RCSID("$OpenBSD: packet.h,v 1.26 2001/11/07 16:03:17 markus Exp $"); */
#ifndef PACKET_H
#define PACKET_H
@@ -63,7 +63,7 @@
int packet_connection_is_ipv4(void);
int packet_remaining(void);
void packet_send_ignore(int);
-void packet_inject_ignore(int);
+void packet_add_padding(u_char);
void tty_make_modes(int, struct termios *);
void tty_parse_modes(int, int *);
diff --git a/sshconnect2.c b/sshconnect2.c
index 66dccf6..3107885 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.84 2001/10/29 19:27:15 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.85 2001/11/07 16:03:17 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -460,7 +460,7 @@
packet_put_cstring(password);
memset(password, 0, strlen(password));
xfree(password);
- packet_inject_ignore(64);
+ packet_add_padding(64);
packet_send();
return 1;
}
@@ -817,7 +817,7 @@
}
packet_done(); /* done with parsing incoming message. */
- packet_inject_ignore(64);
+ packet_add_padding(64);
packet_send();
}