>From 801ab40a033869316d1dc14ab3a3a61aa80529fd Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 27 Jun 2013 16:11:54 +0200 Subject: [PATCH 1/3] Enable a padding when sending password, to avoid leakage of password length. Signed-off-by: Nikos Mavrogiannopoulos --- http.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index 5adacaa..edae694 100644 --- a/http.c +++ b/http.c @@ -865,6 +865,7 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method struct oc_text_buf *buf; int result, buflen; int rq_retry; + int rlen, pad; redirected: vpninfo->redirect_type = REDIR_TYPE_NONE; @@ -888,8 +889,14 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method add_common_headers(vpninfo, buf); if (request_body_type) { + rlen = strlen(request_body); buf_append(buf, "Content-Type: %s\r\n", request_body_type); - buf_append(buf, "Content-Length: %zd\r\n", strlen(request_body)); + buf_append(buf, "Content-Length: %zd\r\n", rlen); + + /* force body length to be a multiple of 64, to avoid leaking + * password length. */ + pad = 64*(1+rlen/64) - rlen; + buf_append(buf, "X-Pad: %0*d\r\n", pad, 0); } buf_append(buf, "\r\n"); -- 1.7.10.4