diff options
author | Damien Miller <djm@mindrot.org> | 2005-07-26 21:54:56 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2005-07-26 21:54:56 +1000 |
commit | 9786e6e2a034a8273b5d0d3b8cd8caf063bb875a (patch) | |
tree | 0322eb7ffcdd5600fb25094e9627cd62291da2e4 /packet.c | |
parent | 47655ee03a67ed89ef55c957e5a8183ca3113d2c (diff) |
- markus@cvs.openbsd.org 2005/07/25 11:59:40
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
[sshconnect2.c sshd.c sshd_config sshd_config.5]
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.
this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 56 |
1 files changed, 54 insertions, 2 deletions
@@ -37,7 +37,7 @@ | |||
37 | */ | 37 | */ |
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | RCSID("$OpenBSD: packet.c,v 1.117 2005/06/17 02:44:32 djm Exp $"); | 40 | RCSID("$OpenBSD: packet.c,v 1.118 2005/07/25 11:59:39 markus Exp $"); |
41 | 41 | ||
42 | #include "openbsd-compat/sys-queue.h" | 42 | #include "openbsd-compat/sys-queue.h" |
43 | 43 | ||
@@ -116,6 +116,12 @@ static int initialized = 0; | |||
116 | /* Set to true if the connection is interactive. */ | 116 | /* Set to true if the connection is interactive. */ |
117 | static int interactive_mode = 0; | 117 | static int interactive_mode = 0; |
118 | 118 | ||
119 | /* Set to true if we are the server side. */ | ||
120 | static int server_side = 0; | ||
121 | |||
122 | /* Set to true if we are authenticated. */ | ||
123 | static int after_authentication = 0; | ||
124 | |||
119 | /* Session key information for Encryption and MAC */ | 125 | /* Session key information for Encryption and MAC */ |
120 | Newkeys *newkeys[MODE_MAX]; | 126 | Newkeys *newkeys[MODE_MAX]; |
121 | static struct packet_state { | 127 | static struct packet_state { |
@@ -624,7 +630,9 @@ set_newkeys(int mode) | |||
624 | /* Deleting the keys does not gain extra security */ | 630 | /* Deleting the keys does not gain extra security */ |
625 | /* memset(enc->iv, 0, enc->block_size); | 631 | /* memset(enc->iv, 0, enc->block_size); |
626 | memset(enc->key, 0, enc->key_len); */ | 632 | memset(enc->key, 0, enc->key_len); */ |
627 | if (comp->type != 0 && comp->enabled == 0) { | 633 | if ((comp->type == COMP_ZLIB || |
634 | (comp->type == COMP_DELAYED && after_authentication)) && | ||
635 | comp->enabled == 0) { | ||
628 | packet_init_compression(); | 636 | packet_init_compression(); |
629 | if (mode == MODE_OUT) | 637 | if (mode == MODE_OUT) |
630 | buffer_compress_init_send(6); | 638 | buffer_compress_init_send(6); |
@@ -645,6 +653,34 @@ set_newkeys(int mode) | |||
645 | } | 653 | } |
646 | 654 | ||
647 | /* | 655 | /* |
656 | * Delayed compression for SSH2 is enabled after authentication: | ||
657 | * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, | ||
658 | * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received. | ||
659 | */ | ||
660 | static void | ||
661 | packet_enable_delayed_compress(void) | ||
662 | { | ||
663 | Comp *comp = NULL; | ||
664 | int mode; | ||
665 | |||
666 | /* | ||
667 | * Remember that we are past the authentication step, so rekeying | ||
668 | * with COMP_DELAYED will turn on compression immediately. | ||
669 | */ | ||
670 | after_authentication = 1; | ||
671 | for (mode = 0; mode < MODE_MAX; mode++) { | ||
672 | comp = &newkeys[mode]->comp; | ||
673 | if (comp && !comp->enabled && comp->type == COMP_DELAYED) { | ||
674 | if (mode == MODE_OUT) | ||
675 | buffer_compress_init_send(6); | ||
676 | else | ||
677 | buffer_compress_init_recv(); | ||
678 | comp->enabled = 1; | ||
679 | } | ||
680 | } | ||
681 | } | ||
682 | |||
683 | /* | ||
648 | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) | 684 | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) |
649 | */ | 685 | */ |
650 | static void | 686 | static void |
@@ -757,6 +793,8 @@ packet_send2_wrapped(void) | |||
757 | 793 | ||
758 | if (type == SSH2_MSG_NEWKEYS) | 794 | if (type == SSH2_MSG_NEWKEYS) |
759 | set_newkeys(MODE_OUT); | 795 | set_newkeys(MODE_OUT); |
796 | else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side) | ||
797 | packet_enable_delayed_compress(); | ||
760 | } | 798 | } |
761 | 799 | ||
762 | static void | 800 | static void |
@@ -1099,6 +1137,8 @@ packet_read_poll2(u_int32_t *seqnr_p) | |||
1099 | packet_disconnect("Invalid ssh2 packet type: %d", type); | 1137 | packet_disconnect("Invalid ssh2 packet type: %d", type); |
1100 | if (type == SSH2_MSG_NEWKEYS) | 1138 | if (type == SSH2_MSG_NEWKEYS) |
1101 | set_newkeys(MODE_IN); | 1139 | set_newkeys(MODE_IN); |
1140 | else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side) | ||
1141 | packet_enable_delayed_compress(); | ||
1102 | #ifdef PACKET_DEBUG | 1142 | #ifdef PACKET_DEBUG |
1103 | fprintf(stderr, "read/plain[%d]:\r\n", type); | 1143 | fprintf(stderr, "read/plain[%d]:\r\n", type); |
1104 | buffer_dump(&incoming_packet); | 1144 | buffer_dump(&incoming_packet); |
@@ -1524,3 +1564,15 @@ packet_set_rekey_limit(u_int32_t bytes) | |||
1524 | { | 1564 | { |
1525 | rekey_limit = bytes; | 1565 | rekey_limit = bytes; |
1526 | } | 1566 | } |
1567 | |||
1568 | void | ||
1569 | packet_set_server(void) | ||
1570 | { | ||
1571 | server_side = 1; | ||
1572 | } | ||
1573 | |||
1574 | void | ||
1575 | packet_set_authenticated(void) | ||
1576 | { | ||
1577 | after_authentication = 1; | ||
1578 | } | ||