diff options
-rw-r--r-- | channels.c | 18 | ||||
-rw-r--r-- | sshconnect1.c | 10 |
2 files changed, 9 insertions, 19 deletions
diff --git a/channels.c b/channels.c index 241aa3cdc..5d8c2a0c0 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.352 2016/09/12 01:22:38 deraadt Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.353 2016/09/19 07:52:42 natano Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -4215,7 +4215,6 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, | |||
4215 | char *new_data; | 4215 | char *new_data; |
4216 | int screen_number; | 4216 | int screen_number; |
4217 | const char *cp; | 4217 | const char *cp; |
4218 | u_int32_t rnd = 0; | ||
4219 | 4218 | ||
4220 | if (x11_saved_display == NULL) | 4219 | if (x11_saved_display == NULL) |
4221 | x11_saved_display = xstrdup(disp); | 4220 | x11_saved_display = xstrdup(disp); |
@@ -4236,23 +4235,20 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, | |||
4236 | if (x11_saved_proto == NULL) { | 4235 | if (x11_saved_proto == NULL) { |
4237 | /* Save protocol name. */ | 4236 | /* Save protocol name. */ |
4238 | x11_saved_proto = xstrdup(proto); | 4237 | x11_saved_proto = xstrdup(proto); |
4239 | /* | 4238 | |
4240 | * Extract real authentication data and generate fake data | 4239 | /* Extract real authentication data. */ |
4241 | * of the same length. | ||
4242 | */ | ||
4243 | x11_saved_data = xmalloc(data_len); | 4240 | x11_saved_data = xmalloc(data_len); |
4244 | x11_fake_data = xmalloc(data_len); | ||
4245 | for (i = 0; i < data_len; i++) { | 4241 | for (i = 0; i < data_len; i++) { |
4246 | if (sscanf(data + 2 * i, "%2x", &value) != 1) | 4242 | if (sscanf(data + 2 * i, "%2x", &value) != 1) |
4247 | fatal("x11_request_forwarding: bad " | 4243 | fatal("x11_request_forwarding: bad " |
4248 | "authentication data: %.100s", data); | 4244 | "authentication data: %.100s", data); |
4249 | if (i % 4 == 0) | ||
4250 | rnd = arc4random(); | ||
4251 | x11_saved_data[i] = value; | 4245 | x11_saved_data[i] = value; |
4252 | x11_fake_data[i] = rnd & 0xff; | ||
4253 | rnd >>= 8; | ||
4254 | } | 4246 | } |
4255 | x11_saved_data_len = data_len; | 4247 | x11_saved_data_len = data_len; |
4248 | |||
4249 | /* Generate fake data of the same length. */ | ||
4250 | x11_fake_data = xmalloc(data_len); | ||
4251 | arc4random_buf(x11_fake_data, data_len); | ||
4256 | x11_fake_data_len = data_len; | 4252 | x11_fake_data_len = data_len; |
4257 | } | 4253 | } |
4258 | 4254 | ||
diff --git a/sshconnect1.c b/sshconnect1.c index bfc523bde..a04536184 100644 --- a/sshconnect1.c +++ b/sshconnect1.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect1.c,v 1.78 2015/11/15 22:26:49 jcs Exp $ */ | 1 | /* $OpenBSD: sshconnect1.c,v 1.79 2016/09/19 07:52:42 natano Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -509,7 +509,6 @@ ssh_kex(char *host, struct sockaddr *hostaddr) | |||
509 | u_char cookie[8]; | 509 | u_char cookie[8]; |
510 | u_int supported_ciphers; | 510 | u_int supported_ciphers; |
511 | u_int server_flags, client_flags; | 511 | u_int server_flags, client_flags; |
512 | u_int32_t rnd = 0; | ||
513 | 512 | ||
514 | debug("Waiting for server public key."); | 513 | debug("Waiting for server public key."); |
515 | 514 | ||
@@ -568,12 +567,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr) | |||
568 | * random number, interpreted as a 32-byte key, with the least | 567 | * random number, interpreted as a 32-byte key, with the least |
569 | * significant 8 bits being the first byte of the key. | 568 | * significant 8 bits being the first byte of the key. |
570 | */ | 569 | */ |
571 | for (i = 0; i < 32; i++) { | 570 | arc4random_buf(session_key, sizeof(session_key)); |
572 | if (i % 4 == 0) | ||
573 | rnd = arc4random(); | ||
574 | session_key[i] = rnd & 0xff; | ||
575 | rnd >>= 8; | ||
576 | } | ||
577 | 571 | ||
578 | /* | 572 | /* |
579 | * According to the protocol spec, the first byte of the session key | 573 | * According to the protocol spec, the first byte of the session key |