diff options
Diffstat (limited to 'deattack.c')
-rw-r--r-- | deattack.c | 76 |
1 files changed, 40 insertions, 36 deletions
diff --git a/deattack.c b/deattack.c index 8b55d6686..1b37e4dab 100644 --- a/deattack.c +++ b/deattack.c | |||
@@ -1,3 +1,4 @@ | |||
1 | /* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */ | ||
1 | /* | 2 | /* |
2 | * Cryptographic attack detector for ssh - source code | 3 | * Cryptographic attack detector for ssh - source code |
3 | * | 4 | * |
@@ -18,14 +19,36 @@ | |||
18 | */ | 19 | */ |
19 | 20 | ||
20 | #include "includes.h" | 21 | #include "includes.h" |
21 | RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $"); | ||
22 | 22 | ||
23 | #include <sys/types.h> | ||
24 | |||
25 | #include <string.h> | ||
26 | #include <stdio.h> | ||
27 | #include <stdarg.h> | ||
28 | |||
29 | #include "xmalloc.h" | ||
23 | #include "deattack.h" | 30 | #include "deattack.h" |
24 | #include "log.h" | 31 | #include "log.h" |
25 | #include "crc32.h" | 32 | #include "crc32.h" |
26 | #include "getput.h" | 33 | #include "misc.h" |
27 | #include "xmalloc.h" | 34 | |
28 | #include "deattack.h" | 35 | /* |
36 | * CRC attack detection has a worst-case behaviour that is O(N^3) over | ||
37 | * the number of identical blocks in a packet. This behaviour can be | ||
38 | * exploited to create a limited denial of service attack. | ||
39 | * | ||
40 | * However, because we are dealing with encrypted data, identical | ||
41 | * blocks should only occur every 2^35 maximally-sized packets or so. | ||
42 | * Consequently, we can detect this DoS by looking for identical blocks | ||
43 | * in a packet. | ||
44 | * | ||
45 | * The parameter below determines how many identical blocks we will | ||
46 | * accept in a single packet, trading off between attack detection and | ||
47 | * likelihood of terminating a legitimate connection. A value of 32 | ||
48 | * corresponds to an average of 2^40 messages before an attack is | ||
49 | * misdetected | ||
50 | */ | ||
51 | #define MAX_IDENTICAL 32 | ||
29 | 52 | ||
30 | /* SSH Constants */ | 53 | /* SSH Constants */ |
31 | #define SSH_MAXBLOCKS (32 * 1024) | 54 | #define SSH_MAXBLOCKS (32 * 1024) |
@@ -43,7 +66,7 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $"); | |||
43 | 66 | ||
44 | 67 | ||
45 | /* Hash function (Input keys are cipher results) */ | 68 | /* Hash function (Input keys are cipher results) */ |
46 | #define HASH(x) GET_32BIT(x) | 69 | #define HASH(x) get_u32(x) |
47 | 70 | ||
48 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) | 71 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
49 | 72 | ||
@@ -51,22 +74,17 @@ static void | |||
51 | crc_update(u_int32_t *a, u_int32_t b) | 74 | crc_update(u_int32_t *a, u_int32_t b) |
52 | { | 75 | { |
53 | b ^= *a; | 76 | b ^= *a; |
54 | *a = ssh_crc32((u_char *) &b, sizeof(b)); | 77 | *a = ssh_crc32((u_char *)&b, sizeof(b)); |
55 | } | 78 | } |
56 | 79 | ||
57 | /* detect if a block is used in a particular pattern */ | 80 | /* detect if a block is used in a particular pattern */ |
58 | static int | 81 | static int |
59 | check_crc(u_char *S, u_char *buf, u_int32_t len, | 82 | check_crc(u_char *S, u_char *buf, u_int32_t len) |
60 | u_char *IV) | ||
61 | { | 83 | { |
62 | u_int32_t crc; | 84 | u_int32_t crc; |
63 | u_char *c; | 85 | u_char *c; |
64 | 86 | ||
65 | crc = 0; | 87 | crc = 0; |
66 | if (IV && !CMP(S, IV)) { | ||
67 | crc_update(&crc, 1); | ||
68 | crc_update(&crc, 0); | ||
69 | } | ||
70 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { | 88 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
71 | if (!CMP(S, c)) { | 89 | if (!CMP(S, c)) { |
72 | crc_update(&crc, 1); | 90 | crc_update(&crc, 1); |
@@ -82,12 +100,12 @@ check_crc(u_char *S, u_char *buf, u_int32_t len, | |||
82 | 100 | ||
83 | /* Detect a crc32 compensation attack on a packet */ | 101 | /* Detect a crc32 compensation attack on a packet */ |
84 | int | 102 | int |
85 | detect_attack(u_char *buf, u_int32_t len, u_char *IV) | 103 | detect_attack(u_char *buf, u_int32_t len) |
86 | { | 104 | { |
87 | static u_int16_t *h = (u_int16_t *) NULL; | 105 | static u_int16_t *h = (u_int16_t *) NULL; |
88 | static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; | 106 | static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; |
89 | u_int32_t i, j; | 107 | u_int32_t i, j; |
90 | u_int32_t l; | 108 | u_int32_t l, same; |
91 | u_char *c; | 109 | u_char *c; |
92 | u_char *d; | 110 | u_char *d; |
93 | 111 | ||
@@ -100,26 +118,20 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV) | |||
100 | 118 | ||
101 | if (h == NULL) { | 119 | if (h == NULL) { |
102 | debug("Installing crc compensation attack detector."); | 120 | debug("Installing crc compensation attack detector."); |
103 | h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); | 121 | h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE); |
104 | n = l; | 122 | n = l; |
105 | } else { | 123 | } else { |
106 | if (l > n) { | 124 | if (l > n) { |
107 | h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); | 125 | h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); |
108 | n = l; | 126 | n = l; |
109 | } | 127 | } |
110 | } | 128 | } |
111 | 129 | ||
112 | if (len <= HASH_MINBLOCKS) { | 130 | if (len <= HASH_MINBLOCKS) { |
113 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { | 131 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
114 | if (IV && (!CMP(c, IV))) { | ||
115 | if ((check_crc(c, buf, len, IV))) | ||
116 | return (DEATTACK_DETECTED); | ||
117 | else | ||
118 | break; | ||
119 | } | ||
120 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { | 132 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
121 | if (!CMP(c, d)) { | 133 | if (!CMP(c, d)) { |
122 | if ((check_crc(c, buf, len, IV))) | 134 | if ((check_crc(c, buf, len))) |
123 | return (DEATTACK_DETECTED); | 135 | return (DEATTACK_DETECTED); |
124 | else | 136 | else |
125 | break; | 137 | break; |
@@ -130,21 +142,13 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV) | |||
130 | } | 142 | } |
131 | memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); | 143 | memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); |
132 | 144 | ||
133 | if (IV) | 145 | for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
134 | h[HASH(IV) & (n - 1)] = HASH_IV; | ||
135 | |||
136 | for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { | ||
137 | for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; | 146 | for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; |
138 | i = (i + 1) & (n - 1)) { | 147 | i = (i + 1) & (n - 1)) { |
139 | if (h[i] == HASH_IV) { | 148 | if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { |
140 | if (!CMP(c, IV)) { | 149 | if (++same > MAX_IDENTICAL) |
141 | if (check_crc(c, buf, len, IV)) | 150 | return (DEATTACK_DOS_DETECTED); |
142 | return (DEATTACK_DETECTED); | 151 | if (check_crc(c, buf, len)) |
143 | else | ||
144 | break; | ||
145 | } | ||
146 | } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { | ||
147 | if (check_crc(c, buf, len, IV)) | ||
148 | return (DEATTACK_DETECTED); | 152 | return (DEATTACK_DETECTED); |
149 | else | 153 | else |
150 | break; | 154 | break; |