diff options
author | Dug Song <dugsong@cvs.openbsd.org> | 2001-02-08 23:11:44 +0000 |
---|---|---|
committer | Dug Song <dugsong@cvs.openbsd.org> | 2001-02-08 23:11:44 +0000 |
commit | f56830a1e5897b0172a0452fc7e4a7ca2208a34b (patch) | |
tree | b8d2e19e786b623f7fbbbd41ddeb944055e3f0d1 /usr.bin/ssh | |
parent | 185d74010b6e2c84788d28271c16a0598d4e9b83 (diff) |
mitigate SSH1 traffic analysis - from Solar Designer <solar@openwall.com>, ok provos@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/serverloop.c | 14 | ||||
-rw-r--r-- | usr.bin/ssh/sshconnect1.c | 20 |
2 files changed, 29 insertions, 5 deletions
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index fddcb747809..a0bc3158318 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.46 2001/02/08 19:30:52 itojun Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.47 2001/02/08 23:11:42 dugsong Exp $"); #include "xmalloc.h" #include "packet.h" @@ -317,6 +317,7 @@ process_input(fd_set * readset) void process_output(fd_set * writeset) { + struct termios tio; int len; /* Write buffered data to program stdin. */ @@ -336,7 +337,16 @@ process_output(fd_set * writeset) #endif fdin = -1; } else { - /* Successful write. Consume the data from the buffer. */ + /* Successful write. */ + if (tcgetattr(fdin, &tio) == 0 && + !(tio.c_lflag & ECHO)) { + /* Simulate echo to reduce the impact of traffic analysis. */ + packet_start(SSH_MSG_IGNORE); + memset(buffer_ptr(&stdin_buffer), 0, len); + packet_put_string(buffer_ptr(&stdin_buffer), len); + packet_send(); + } + /* Consume the data from the buffer. */ buffer_consume(&stdin_buffer, len); /* Update the count of bytes written to the program. */ stdin_bytes += len; diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c index 319306504d3..9d6ab3a6a32 100644 --- a/usr.bin/ssh/sshconnect1.c +++ b/usr.bin/ssh/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.24 2001/02/08 19:30:52 itojun Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.25 2001/02/08 23:11:43 dugsong Exp $"); #include <openssl/bn.h> #include <openssl/evp.h> @@ -51,6 +51,20 @@ u_int supported_authentications = 0; extern Options options; extern char *__progname; +void +ssh1_put_password(char *password) +{ + int size; + char *padded; + + size = roundup(strlen(password), 32); + padded = xmalloc(size); + strlcpy(padded, password, size); + packet_put_string(padded, size); + memset(padded, 0, size); + xfree(padded); +} + /* * Checks if the user has an authentication agent, and if so, tries to * authenticate using the agent. @@ -658,7 +672,7 @@ try_challenge_reponse_authentication(void) break; } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); - packet_put_string(response, strlen(response)); + ssh1_put_password(response); memset(response, 0, strlen(response)); xfree(response); packet_send(); @@ -691,7 +705,7 @@ try_password_authentication(char *prompt) error("Permission denied, please try again."); password = read_passphrase(prompt, 0); packet_start(SSH_CMSG_AUTH_PASSWORD); - packet_put_string(password, strlen(password)); + ssh1_put_password(password); memset(password, 0, strlen(password)); xfree(password); packet_send(); |