diff options
Diffstat (limited to 'deattack.c')
-rw-r--r-- | deattack.c | 81 |
1 files changed, 43 insertions, 38 deletions
diff --git a/deattack.c b/deattack.c index 1b37e4dab..e76481a6d 100644 --- a/deattack.c +++ b/deattack.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */ | 1 | /* $OpenBSD: deattack.c,v 1.32 2015/01/20 23:14:00 deraadt Exp $ */ |
2 | /* | 2 | /* |
3 | * Cryptographic attack detector for ssh - source code | 3 | * Cryptographic attack detector for ssh - source code |
4 | * | 4 | * |
@@ -20,16 +20,13 @@ | |||
20 | 20 | ||
21 | #include "includes.h" | 21 | #include "includes.h" |
22 | 22 | ||
23 | #include <sys/types.h> | ||
24 | |||
25 | #include <string.h> | 23 | #include <string.h> |
26 | #include <stdio.h> | 24 | #include <stdio.h> |
27 | #include <stdarg.h> | 25 | #include <stdlib.h> |
28 | 26 | ||
29 | #include "xmalloc.h" | ||
30 | #include "deattack.h" | 27 | #include "deattack.h" |
31 | #include "log.h" | ||
32 | #include "crc32.h" | 28 | #include "crc32.h" |
29 | #include "sshbuf.h" | ||
33 | #include "misc.h" | 30 | #include "misc.h" |
34 | 31 | ||
35 | /* | 32 | /* |
@@ -66,7 +63,7 @@ | |||
66 | 63 | ||
67 | 64 | ||
68 | /* Hash function (Input keys are cipher results) */ | 65 | /* Hash function (Input keys are cipher results) */ |
69 | #define HASH(x) get_u32(x) | 66 | #define HASH(x) PEEK_U32(x) |
70 | 67 | ||
71 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) | 68 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
72 | 69 | ||
@@ -79,10 +76,10 @@ crc_update(u_int32_t *a, u_int32_t b) | |||
79 | 76 | ||
80 | /* detect if a block is used in a particular pattern */ | 77 | /* detect if a block is used in a particular pattern */ |
81 | static int | 78 | static int |
82 | check_crc(u_char *S, u_char *buf, u_int32_t len) | 79 | check_crc(const u_char *S, const u_char *buf, u_int32_t len) |
83 | { | 80 | { |
84 | u_int32_t crc; | 81 | u_int32_t crc; |
85 | u_char *c; | 82 | const u_char *c; |
86 | 83 | ||
87 | crc = 0; | 84 | crc = 0; |
88 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { | 85 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
@@ -94,36 +91,44 @@ check_crc(u_char *S, u_char *buf, u_int32_t len) | |||
94 | crc_update(&crc, 0); | 91 | crc_update(&crc, 0); |
95 | } | 92 | } |
96 | } | 93 | } |
97 | return (crc == 0); | 94 | return crc == 0; |
98 | } | 95 | } |
99 | 96 | ||
97 | void | ||
98 | deattack_init(struct deattack_ctx *dctx) | ||
99 | { | ||
100 | bzero(dctx, sizeof(*dctx)); | ||
101 | dctx->n = HASH_MINSIZE / HASH_ENTRYSIZE; | ||
102 | } | ||
100 | 103 | ||
101 | /* Detect a crc32 compensation attack on a packet */ | 104 | /* Detect a crc32 compensation attack on a packet */ |
102 | int | 105 | int |
103 | detect_attack(u_char *buf, u_int32_t len) | 106 | detect_attack(struct deattack_ctx *dctx, const u_char *buf, u_int32_t len) |
104 | { | 107 | { |
105 | static u_int16_t *h = (u_int16_t *) NULL; | 108 | u_int32_t i, j, l, same; |
106 | static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; | 109 | u_int16_t *tmp; |
107 | u_int32_t i, j; | 110 | const u_char *c, *d; |
108 | u_int32_t l, same; | ||
109 | u_char *c; | ||
110 | u_char *d; | ||
111 | 111 | ||
112 | if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || | 112 | if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || |
113 | len % SSH_BLOCKSIZE != 0) { | 113 | len % SSH_BLOCKSIZE != 0) |
114 | fatal("detect_attack: bad length %d", len); | 114 | return DEATTACK_ERROR; |
115 | } | 115 | for (l = dctx->n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) |
116 | for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) | ||
117 | ; | 116 | ; |
118 | 117 | ||
119 | if (h == NULL) { | 118 | if (dctx->h == NULL) { |
120 | debug("Installing crc compensation attack detector."); | 119 | if ((dctx->h = calloc(l, HASH_ENTRYSIZE)) == NULL) |
121 | h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE); | 120 | return DEATTACK_ERROR; |
122 | n = l; | 121 | dctx->n = l; |
123 | } else { | 122 | } else { |
124 | if (l > n) { | 123 | if (l > dctx->n) { |
125 | h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); | 124 | if ((tmp = reallocarray(dctx->h, l, HASH_ENTRYSIZE)) |
126 | n = l; | 125 | == NULL) { |
126 | free(dctx->h); | ||
127 | dctx->h = NULL; | ||
128 | return DEATTACK_ERROR; | ||
129 | } | ||
130 | dctx->h = tmp; | ||
131 | dctx->n = l; | ||
127 | } | 132 | } |
128 | } | 133 | } |
129 | 134 | ||
@@ -132,29 +137,29 @@ detect_attack(u_char *buf, u_int32_t len) | |||
132 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { | 137 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
133 | if (!CMP(c, d)) { | 138 | if (!CMP(c, d)) { |
134 | if ((check_crc(c, buf, len))) | 139 | if ((check_crc(c, buf, len))) |
135 | return (DEATTACK_DETECTED); | 140 | return DEATTACK_DETECTED; |
136 | else | 141 | else |
137 | break; | 142 | break; |
138 | } | 143 | } |
139 | } | 144 | } |
140 | } | 145 | } |
141 | return (DEATTACK_OK); | 146 | return DEATTACK_OK; |
142 | } | 147 | } |
143 | memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); | 148 | memset(dctx->h, HASH_UNUSEDCHAR, dctx->n * HASH_ENTRYSIZE); |
144 | 149 | ||
145 | for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { | 150 | for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
146 | for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; | 151 | for (i = HASH(c) & (dctx->n - 1); dctx->h[i] != HASH_UNUSED; |
147 | i = (i + 1) & (n - 1)) { | 152 | i = (i + 1) & (dctx->n - 1)) { |
148 | if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { | 153 | if (!CMP(c, buf + dctx->h[i] * SSH_BLOCKSIZE)) { |
149 | if (++same > MAX_IDENTICAL) | 154 | if (++same > MAX_IDENTICAL) |
150 | return (DEATTACK_DOS_DETECTED); | 155 | return DEATTACK_DOS_DETECTED; |
151 | if (check_crc(c, buf, len)) | 156 | if (check_crc(c, buf, len)) |
152 | return (DEATTACK_DETECTED); | 157 | return DEATTACK_DETECTED; |
153 | else | 158 | else |
154 | break; | 159 | break; |
155 | } | 160 | } |
156 | } | 161 | } |
157 | h[i] = j; | 162 | dctx->h[i] = j; |
158 | } | 163 | } |
159 | return (DEATTACK_OK); | 164 | return DEATTACK_OK; |
160 | } | 165 | } |