1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

Make the SSH2 traffic analysis defence robust in the face of Zlib

compression. This involves introducing an option to disable Zlib
compression (that is, continue to work within the Zlib format but
output an uncompressed block) for the duration of a single packet.

[originally from svn r982]
This commit is contained in:
Simon Tatham 2001-03-05 16:38:42 +00:00
parent a1d5dab580
commit aaeecbb4ea
3 changed files with 177 additions and 46 deletions

28
ssh.c
View File

@ -3224,15 +3224,29 @@ static void do_ssh2_authconn(unsigned char *in, int inlen, int ispkt)
* reason, we don't do this trick at all because we gain * reason, we don't do this trick at all because we gain
* nothing by it. * nothing by it.
*/ */
if (cscipher) { if (cscipher) {
int i, j; int stringlen, i;
stringlen = (256 - deferred_len);
stringlen += cscipher->blksize - 1;
stringlen -= (stringlen % cscipher->blksize);
if (cscomp) {
/*
* Temporarily disable actual compression,
* so we can guarantee to get this string
* exactly the length we want it. The
* compression-disabling routine should
* return an integer indicating how many
* bytes we should adjust our string length
* by.
*/
stringlen -= cscomp->disable_compression();
}
ssh2_pkt_init(SSH2_MSG_IGNORE); ssh2_pkt_init(SSH2_MSG_IGNORE);
ssh2_pkt_addstring_start(); ssh2_pkt_addstring_start();
for (i = deferred_len; i <= 256; i += cscipher->blksize) { for (i = 0; i < stringlen; i++) {
for (j = 0; j < cscipher->blksize; j++) { char c = (char)random_byte();
char c = (char)random_byte(); ssh2_pkt_addstring_data(&c, 1);
ssh2_pkt_addstring_data(&c, 1);
}
} }
ssh2_pkt_defer(); ssh2_pkt_defer();
} }

1
ssh.h
View File

@ -159,6 +159,7 @@ struct ssh_compress {
void (*decompress_init)(void); void (*decompress_init)(void);
int (*decompress)(unsigned char *block, int len, int (*decompress)(unsigned char *block, int len,
unsigned char **outblock, int *outlen); unsigned char **outblock, int *outlen);
int (*disable_compression)(void);
}; };
struct ssh2_userkey { struct ssh2_userkey {

194
sshzlib.c
View File

@ -70,9 +70,11 @@ static int lz77_init(struct LZ77Context *ctx);
/* /*
* Supply data to be compressed. Will update the private fields of * Supply data to be compressed. Will update the private fields of
* the LZ77Context, and will call literal() and match() to output. * the LZ77Context, and will call literal() and match() to output.
* If `compress' is FALSE, it will never emit a match, but will
* instead call literal() for everything.
*/ */
static void lz77_compress(struct LZ77Context *ctx, static void lz77_compress(struct LZ77Context *ctx,
unsigned char *data, int len); unsigned char *data, int len, int compress);
/* /*
* Modifiable parameters. * Modifiable parameters.
@ -174,7 +176,7 @@ static void lz77_advance(struct LZ77InternalContext *st,
#define CHARAT(k) ( (k)<0 ? st->data[(st->winpos+k)&(WINSIZE-1)] : data[k] ) #define CHARAT(k) ( (k)<0 ? st->data[(st->winpos+k)&(WINSIZE-1)] : data[k] )
static void lz77_compress(struct LZ77Context *ctx, static void lz77_compress(struct LZ77Context *ctx,
unsigned char *data, int len) { unsigned char *data, int len, int compress) {
struct LZ77InternalContext *st = ctx->ictx; struct LZ77InternalContext *st = ctx->ictx;
int i, hash, distance, off, nmatch, matchlen, advance; int i, hash, distance, off, nmatch, matchlen, advance;
struct Match defermatch, matches[MAXMATCH]; struct Match defermatch, matches[MAXMATCH];
@ -203,7 +205,8 @@ static void lz77_compress(struct LZ77Context *ctx,
defermatch.len = 0; defermatch.len = 0;
while (len > 0) { while (len > 0) {
if (len >= HASHCHARS) { /* Don't even look for a match, if we're not compressing. */
if (compress && len >= HASHCHARS) {
/* /*
* Hash the next few characters. * Hash the next few characters.
*/ */
@ -336,6 +339,7 @@ struct Outbuf {
unsigned long outbits; unsigned long outbits;
int noutbits; int noutbits;
int firstblock; int firstblock;
int comp_disabled;
}; };
static void outbits(struct Outbuf *out, unsigned long bits, int nbits) { static void outbits(struct Outbuf *out, unsigned long bits, int nbits) {
@ -460,6 +464,14 @@ static const coderecord distcodes[] = {
static void zlib_literal(struct LZ77Context *ectx, unsigned char c) { static void zlib_literal(struct LZ77Context *ectx, unsigned char c) {
struct Outbuf *out = (struct Outbuf *)ectx->userdata; struct Outbuf *out = (struct Outbuf *)ectx->userdata;
if (out->comp_disabled) {
/*
* We're in an uncompressed block, so just output the byte.
*/
outbits(out, c, 8);
return;
}
if (c <= 143) { if (c <= 143) {
/* 0 through 143 are 8 bits long starting at 00110000. */ /* 0 through 143 are 8 bits long starting at 00110000. */
outbits(out, mirrorbytes[0x30 + c], 8); outbits(out, mirrorbytes[0x30 + c], 8);
@ -473,6 +485,9 @@ static void zlib_match(struct LZ77Context *ectx, int distance, int len) {
const coderecord *d, *l; const coderecord *d, *l;
int i, j, k; int i, j, k;
struct Outbuf *out = (struct Outbuf *)ectx->userdata; struct Outbuf *out = (struct Outbuf *)ectx->userdata;
assert(!out->comp_disabled);
while (len > 0) { while (len > 0) {
int thislen; int thislen;
@ -563,14 +578,56 @@ void zlib_compress_init(void) {
out = smalloc(sizeof(struct Outbuf)); out = smalloc(sizeof(struct Outbuf));
out->outbits = out->noutbits = 0; out->outbits = out->noutbits = 0;
out->firstblock = 1; out->firstblock = 1;
out->comp_disabled = FALSE;
ectx.userdata = out; ectx.userdata = out;
logevent("Initialised zlib (RFC1950) compression"); logevent("Initialised zlib (RFC1950) compression");
} }
/*
* Turn off actual LZ77 analysis for one block, to facilitate
* construction of a precise-length IGNORE packet. Returns the
* length adjustment (which is only valid for packets < 65536
* bytes, but that seems reasonable enough).
*/
int zlib_disable_compression(void) {
struct Outbuf *out = (struct Outbuf *)ectx.userdata;
int n, startbits;
out->comp_disabled = TRUE;
n = 0;
/*
* If this is the first block, we will start by outputting two
* header bytes, and then three bits to begin an uncompressed
* block. This will cost three bytes (because we will start on
* a byte boundary, this is certain).
*/
if (out->firstblock) {
n = 3;
} else {
/*
* Otherwise, we will output seven bits to close the
* previous static block, and _then_ three bits to begin an
* uncompressed block, and then flush the current byte.
* This may cost two bytes or three, depending on noutbits.
*/
n += (out->noutbits + 10) / 8;
}
/*
* Now we output four bytes for the length / ~length pair in
* the uncompressed block.
*/
n += 4;
return n;
}
int zlib_compress_block(unsigned char *block, int len, int zlib_compress_block(unsigned char *block, int len,
unsigned char **outblock, int *outlen) { unsigned char **outblock, int *outlen) {
struct Outbuf *out = (struct Outbuf *)ectx.userdata; struct Outbuf *out = (struct Outbuf *)ectx.userdata;
int in_block;
out->outbuf = NULL; out->outbuf = NULL;
out->outlen = out->outsize = 0; out->outlen = out->outsize = 0;
@ -583,43 +640,101 @@ int zlib_compress_block(unsigned char *block, int len,
if (out->firstblock) { if (out->firstblock) {
outbits(out, 0x9C78, 16); outbits(out, 0x9C78, 16);
out->firstblock = 0; out->firstblock = 0;
/*
* Start a Deflate (RFC1951) fixed-trees block. We transmit in_block = FALSE;
* a zero bit (BFINAL=0), followed by a zero bit and a one
* bit (BTYPE=01). Of course these are in the wrong order
* (01 0).
*/
outbits(out, 2, 3);
} }
/* if (out->comp_disabled) {
* Do the compression. if (in_block)
*/ outbits(out, 0, 7); /* close static block */
lz77_compress(&ectx, block, len);
/* while (len > 0) {
* End the block (by transmitting code 256, which is 0000000 in int blen = (len < 65535 ? len : 65535);
* fixed-tree mode), and transmit some empty blocks to ensure
* we have emitted the byte containing the last piece of /*
* genuine data. There are three ways we can do this: * Start a Deflate (RFC1951) uncompressed block. We
* * transmit a zero bit (BFINAL=0), followed by a zero
* - Minimal flush. Output end-of-block and then open a new * bit and a one bit (BTYPE=00). Of course these are in
* static block. This takes 9 bits, which is guaranteed to * the wrong order (00 0).
* flush out the last genuine code in the closed block; but */
* allegedly zlib can't handle it. outbits(out, 0, 3);
*
* - Zlib partial flush. Output EOB, open and close an empty /*
* static block, and _then_ open the new block. This is the * Output zero bits to align to a byte boundary.
* best zlib can handle. */
* if (out->noutbits)
* - Zlib sync flush. Output EOB, then an empty _uncompressed_ outbits(out, 0, 8 - out->noutbits);
* block (000, then sync to byte boundary, then send bytes
* 00 00 FF FF). Then open the new block. /*
* * Output the block length, and then its one's
* For the moment, we will use Zlib partial flush. * complement. They're little-endian, so all we need to
*/ * do is pass them straight to outbits() with bit count
outbits(out, 0, 7); /* close block */ * 16.
outbits(out, 2, 3+7); /* empty static block */ */
outbits(out, 2, 3); /* open new block */ outbits(out, blen, 16);
outbits(out, blen ^ 0xFFFF, 16);
/*
* Do the `compression': we need to pass the data to
* lz77_compress so that it will be taken into account
* for subsequent (distance,length) pairs. But
* lz77_compress is passed FALSE, which means it won't
* actually find (or even look for) any matches; so
* every character will be passed straight to
* zlib_literal which will spot out->comp_disabled and
* emit in the uncompressed format.
*/
lz77_compress(&ectx, block, blen, FALSE);
len -= blen;
block += blen;
}
outbits(out, 2, 3); /* open new block */
} else {
if (!in_block) {
/*
* Start a Deflate (RFC1951) fixed-trees block. We
* transmit a zero bit (BFINAL=0), followed by a zero
* bit and a one bit (BTYPE=01). Of course these are in
* the wrong order (01 0).
*/
outbits(out, 2, 3);
}
/*
* Do the compression.
*/
lz77_compress(&ectx, block, len, TRUE);
/*
* End the block (by transmitting code 256, which is
* 0000000 in fixed-tree mode), and transmit some empty
* blocks to ensure we have emitted the byte containing the
* last piece of genuine data. There are three ways we can
* do this:
*
* - Minimal flush. Output end-of-block and then open a
* new static block. This takes 9 bits, which is
* guaranteed to flush out the last genuine code in the
* closed block; but allegedly zlib can't handle it.
*
* - Zlib partial flush. Output EOB, open and close an
* empty static block, and _then_ open the new block.
* This is the best zlib can handle.
*
* - Zlib sync flush. Output EOB, then an empty
* _uncompressed_ block (000, then sync to byte
* boundary, then send bytes 00 00 FF FF). Then open the
* new block.
*
* For the moment, we will use Zlib partial flush.
*/
outbits(out, 0, 7); /* close block */
outbits(out, 2, 3+7); /* empty static block */
outbits(out, 2, 3); /* open new block */
}
out->comp_disabled = FALSE;
*outblock = out->outbuf; *outblock = out->outbuf;
*outlen = out->outlen; *outlen = out->outlen;
@ -1034,5 +1149,6 @@ const struct ssh_compress ssh_zlib = {
zlib_compress_init, zlib_compress_init,
zlib_compress_block, zlib_compress_block,
zlib_decompress_init, zlib_decompress_init,
zlib_decompress_block zlib_decompress_block,
zlib_disable_compression
}; };