From 030ab3444bdec54e29fc1e9dc30507d2e60075dc Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 13 Oct 2024 22:20:06 +0000 Subject: [PATCH] don't start the ObscureKeystrokeTiming mitigations if there has been traffic on a X11 forwarding channel recently. Should fix X11 forwarding performance problems when this setting is enabled. Patch from Antonio Larrosa via bz3655 --- usr.bin/ssh/channels.c | 21 ++++++++++++++++++++- usr.bin/ssh/channels.h | 3 ++- usr.bin/ssh/clientloop.c | 7 ++++--- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 15e702c32fe..07e8c08658d 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.439 2024/07/25 22:40:08 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.440 2024/10/13 22:20:06 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -5219,3 +5219,22 @@ x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id, fatal_fr(r, "send x11-req"); free(new_data); } + +/* + * Returns whether an x11 channel was used recently (less than a second ago) + */ +int +x11_channel_used_recently(struct ssh *ssh) { + u_int i; + Channel *c; + time_t lastused = 0; + + for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { + c = ssh->chanctxt->channels[i]; + if (c == NULL || c->ctype == NULL || c->lastused == 0 || + strcmp(c->ctype, "x11-connection") != 0) + continue; + lastused = c->lastused; + } + return lastused != 0 && monotime() > lastused + 1; +} diff --git a/usr.bin/ssh/channels.h b/usr.bin/ssh/channels.h index 8a4615edac6..c227320af3a 100644 --- a/usr.bin/ssh/channels.h +++ b/usr.bin/ssh/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.157 2024/07/25 22:40:08 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.158 2024/10/13 22:20:06 djm Exp $ */ /* * Author: Tatu Ylonen @@ -379,6 +379,7 @@ int x11_connect_display(struct ssh *); int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **); void x11_request_forwarding_with_spoofing(struct ssh *, int, const char *, const char *, const char *, int); +int x11_channel_used_recently(struct ssh *ssh); /* channel close */ diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c index c5296e32f04..07c321cc3d9 100644 --- a/usr.bin/ssh/clientloop.c +++ b/usr.bin/ssh/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.409 2024/10/13 22:20:06 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -650,9 +650,10 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, if (just_started) return 1; - /* Don't arm output fd for poll until the timing interval has elapsed */ + /* Don't arm output fd for poll until the timing interval has elapsed... */ if (timespeccmp(&now, &next_interval, <)) - return 0; + /* ...unless there's x11 communicattion happening */ + return x11_channel_used_recently(ssh); /* Calculate number of intervals missed since the last check */ n = (now.tv_sec - next_interval.tv_sec) * 1000LL * 1000 * 1000; -- 2.20.1