This is an automated email from the ASF dual-hosted git repository.
twolf pushed a commit to branch dev_3.0
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 169dd9037aaf7080b6c24cb8adb07d5493f8b941
Author: Thomas Wolf <tw...@apache.org>
AuthorDate: Tue Apr 29 22:48:59 2025 +0200
Padding doesn't need secure random
Using ThreadLocalRandom should be good enough for both the number of
padding bytes and for their content. It should also be good enough for
the injected ignore messages.
---
.../sshd/common/session/filters/CryptFilter.java | 5 +-
.../common/session/filters/InjectIgnoreFilter.java | 5 +-
.../common/session/filters/SshTransportFilter.java | 3 +-
.../common/session/filters/ThreadLocalRandom.java | 65 ++++++++++++++++++++++
.../session/filters/CompressionFilterTest.java | 2 -
.../session/filters/InjectIgnoreFilterTest.java | 6 +-
6 files changed, 72 insertions(+), 14 deletions(-)
diff --git
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/CryptFilter.java
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/CryptFilter.java
index b196d0e40..776591616 100644
---
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/CryptFilter.java
+++
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/CryptFilter.java
@@ -89,7 +89,7 @@ public class CryptFilter extends IoFilter implements
CryptStatisticsProvider {
private final CopyOnWriteArrayList<EncryptionListener> listeners = new
CopyOnWriteArrayList<>();
- private Random random;
+ private Random random = ThreadLocalRandom.INSTANCE;
private Session session;
@@ -453,7 +453,8 @@ public class CryptFilter extends IoFilter implements
CryptStatisticsProvider {
int pad = minPadding;
// For low-level messages, do not add extra padding.
if (cmd >= SshConstants.SSH_MSG_KEXINIT) {
- // RFC 4253: variable amounts of random padding may help
thwart traffic analysis.
+ // RFC 4253: variable amounts of random padding may help
thwart traffic analysis. We don't need a secure
+ // random for this.
pad = minPadding + random.random(MAX_PADDING + 1 - minPadding);
}
// Now pad is in the range [4..MAX_PADDING]
diff --git
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/InjectIgnoreFilter.java
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/InjectIgnoreFilter.java
index 9337b3cd3..dec81bf2b 100644
---
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/InjectIgnoreFilter.java
+++
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/InjectIgnoreFilter.java
@@ -47,13 +47,12 @@ public class InjectIgnoreFilter extends IoFilter {
private final PropertyResolver resolver;
- private final Random random;
+ private final Random random = ThreadLocalRandom.INSTANCE;
private final OutputHandler output = new Injector();
- public InjectIgnoreFilter(PropertyResolver resolver, Random random) {
+ public InjectIgnoreFilter(PropertyResolver resolver) {
this.resolver = Objects.requireNonNull(resolver);
- this.random = Objects.requireNonNull(random);
}
@Override
diff --git
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/SshTransportFilter.java
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/SshTransportFilter.java
index 273b00b5f..a5c7ef9ae 100644
---
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/SshTransportFilter.java
+++
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/SshTransportFilter.java
@@ -71,7 +71,6 @@ public class SshTransportFilter extends IoFilter {
cryptFilter = new CryptFilter();
cryptFilter.setSession(session);
- cryptFilter.setRandom(random);
filters.addLast(cryptFilter);
compressionFilter = new CompressionFilter();
@@ -80,7 +79,7 @@ public class SshTransportFilter extends IoFilter {
filters.addLast(new PacketLoggingFilter(session, cryptFilter));
- filters.addLast(new InjectIgnoreFilter(session, random));
+ filters.addLast(new InjectIgnoreFilter(session));
kexFilter = new KexFilter(session, random, cryptFilter,
compressionFilter, events, proposer, checker);
filters.addLast(kexFilter);
diff --git
a/sshd-core/src/main/java/org/apache/sshd/common/session/filters/ThreadLocalRandom.java
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/ThreadLocalRandom.java
new file mode 100644
index 000000000..eac3804ed
--- /dev/null
+++
b/sshd-core/src/main/java/org/apache/sshd/common/session/filters/ThreadLocalRandom.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sshd.common.session.filters;
+
+import java.nio.ByteBuffer;
+import java.nio.IntBuffer;
+
+import org.apache.sshd.common.random.Random;
+
+/**
+ * A {@link Random} instance based on {@link
java.util.concurrent.ThreadLocalRandom}.
+ */
+enum ThreadLocalRandom implements Random {
+
+ INSTANCE;
+
+ ThreadLocalRandom() {
+ // Nothing
+ }
+
+ @Override
+ public String getName() {
+ return "ThreadLocalRandom";
+ }
+
+ @Override
+ public void fill(byte[] bytes, int start, int len) {
+ java.util.concurrent.ThreadLocalRandom rnd =
java.util.concurrent.ThreadLocalRandom.current();
+ int n = len / 4;
+ if (n > 0) {
+ IntBuffer buf = ByteBuffer.wrap(bytes, start, len).asIntBuffer();
+ rnd.ints(n).forEach(buf::put);
+ }
+ int l = len & 3;
+ if (l > 0) {
+ int x = rnd.nextInt();
+ int pos = start + len - 1;
+ for (int i = 0; i < l; i++) {
+ bytes[pos - i] = (byte) (x & 0xFF);
+ x >>= 8;
+ }
+ }
+ }
+
+ @Override
+ public int random(int n) {
+ return java.util.concurrent.ThreadLocalRandom.current().nextInt(n);
+ }
+}
diff --git
a/sshd-core/src/test/java/org/apache/sshd/common/session/filters/CompressionFilterTest.java
b/sshd-core/src/test/java/org/apache/sshd/common/session/filters/CompressionFilterTest.java
index b8bea7871..cba46053c 100644
---
a/sshd-core/src/test/java/org/apache/sshd/common/session/filters/CompressionFilterTest.java
+++
b/sshd-core/src/test/java/org/apache/sshd/common/session/filters/CompressionFilterTest.java
@@ -63,8 +63,6 @@ class CompressionFilterTest extends FilterTestSupport {
filterChain.addLast(crypt);
filterChain.addLast(filterUnderTest);
filterChain.addLast(inputs);
-
- crypt.setRandom(RNG);
}
private static Stream<Arguments> parameters() {
diff --git
a/sshd-core/src/test/java/org/apache/sshd/common/session/filters/InjectIgnoreFilterTest.java
b/sshd-core/src/test/java/org/apache/sshd/common/session/filters/InjectIgnoreFilterTest.java
index e3467185e..d26a29dd9 100644
---
a/sshd-core/src/test/java/org/apache/sshd/common/session/filters/InjectIgnoreFilterTest.java
+++
b/sshd-core/src/test/java/org/apache/sshd/common/session/filters/InjectIgnoreFilterTest.java
@@ -26,8 +26,6 @@ import org.apache.sshd.common.PropertyResolverUtils;
import org.apache.sshd.common.SshConstants;
import org.apache.sshd.common.filter.DefaultFilterChain;
import org.apache.sshd.common.filter.FilterChain;
-import org.apache.sshd.common.random.JceRandom;
-import org.apache.sshd.common.random.Random;
import org.apache.sshd.common.util.buffer.Buffer;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.apache.sshd.core.CoreModuleProperties;
@@ -38,8 +36,6 @@ import org.junit.jupiter.api.Test;
@Tag("NoIoTestCase")
class InjectIgnoreFilterTest extends FilterTestSupport {
- private static final Random RNG = new JceRandom();
-
private PropertyResolver resolver;
private OutgoingSink outputs;
private InjectIgnoreFilter filterUnderTest;
@@ -52,7 +48,7 @@ class InjectIgnoreFilterTest extends FilterTestSupport {
outputs = new OutgoingSink();
inputs = new IncomingSink();
resolver = PropertyResolverUtils.toPropertyResolver(new HashMap<>());
- filterUnderTest = new InjectIgnoreFilter(resolver, RNG);
+ filterUnderTest = new InjectIgnoreFilter(resolver);
filterChain = new DefaultFilterChain();
filterChain.addLast(outputs);
