xref: /titanic_41/usr/src/cmd/ssh/libssh/common/deattack.c (revision 8d483882aa3390058094b043f3d62187b5d1de03)
1 /*
2  * Cryptographic attack detector for ssh - source code
3  *
4  * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
5  *
6  * All rights reserved. Redistribution and use in source and binary
7  * forms, with or without modification, are permitted provided that
8  * this copyright notice is retained.
9  *
10  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
11  * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
12  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
13  * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
14  * SOFTWARE.
15  *
16  * Ariel Futoransky <futo@core-sdi.com>
17  * <http://www.core-sdi.com>
18  */
19 
20 #include "includes.h"
21 RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $");
22 
23 #pragma ident	"%Z%%M%	%I%	%E% SMI"
24 
25 #include "deattack.h"
26 #include "log.h"
27 #include "crc32.h"
28 #include "getput.h"
29 #include "xmalloc.h"
30 #include "deattack.h"
31 
32 /*
33  * CRC attack detection has a worst-case behaviour that is O(N^2) over
34  * the number of identical blocks in a packet. This behaviour can be
35  * exploited to create a limited denial of service attack.
36  *
37  * However, because we are dealing with encrypted data, identical
38  * blocks should only occur every 2^35 maximally-sized packets or so.
39  * Consequently, we can detect this DoS by looking for identical blocks
40  * in a packet.
41  *
42  * The parameter below determines how many identical blocks we will
43  * accept in a single packet, trading off between attack detection and
44  * likelihood of terminating a legitimate connection. A value of 32
45  * corresponds to an average of 2^40 messages before an attack is
46  * misdetected
47  */
48 #define MAX_IDENTICAL	32
49 
50 /* SSH Constants */
51 #define SSH_MAXBLOCKS	(32 * 1024)
52 #define SSH_BLOCKSIZE	(8)
53 
54 /* Hashing constants */
55 #define HASH_MINSIZE	(8 * 1024)
56 #define HASH_ENTRYSIZE	(2)
57 #define HASH_FACTOR(x)	((x)*3/2)
58 #define HASH_UNUSEDCHAR	(0xff)
59 #define HASH_UNUSED	(0xffff)
60 #define HASH_IV		(0xfffe)
61 
62 #define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
63 
64 
65 /* Hash function (Input keys are cipher results) */
66 #define HASH(x)		GET_32BIT(x)
67 
68 #define CMP(a, b)	(memcmp(a, b, SSH_BLOCKSIZE))
69 
70 static void
71 crc_update(u_int32_t *a, u_int32_t b)
72 {
73 	b ^= *a;
74 	*a = ssh_crc32((u_char *) &b, sizeof(b));
75 }
76 
77 /* detect if a block is used in a particular pattern */
78 static int
79 check_crc(u_char *S, u_char *buf, u_int32_t len,
80 	  u_char *IV)
81 {
82 	u_int32_t crc;
83 	u_char *c;
84 
85 	crc = 0;
86 	if (IV && !CMP(S, IV)) {
87 		crc_update(&crc, 1);
88 		crc_update(&crc, 0);
89 	}
90 	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
91 		if (!CMP(S, c)) {
92 			crc_update(&crc, 1);
93 			crc_update(&crc, 0);
94 		} else {
95 			crc_update(&crc, 0);
96 			crc_update(&crc, 0);
97 		}
98 	}
99 	return (crc == 0);
100 }
101 
102 
103 /* Detect a crc32 compensation attack on a packet */
104 int
105 detect_attack(u_char *buf, u_int32_t len, u_char *IV)
106 {
107 	static u_int16_t *h = (u_int16_t *) NULL;
108 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
109 	u_int32_t i, j;
110 	u_int32_t l, same;
111 	u_char *c;
112 	u_char *d;
113 
114 	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
115 	    len % SSH_BLOCKSIZE != 0) {
116 		fatal("detect_attack: bad length %d", len);
117 	}
118 	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
119 		;
120 
121 	if (h == NULL) {
122 		debug("Installing crc compensation attack detector.");
123 		n = l;
124 		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
125 	} else {
126 		if (l > n) {
127 			n = l;
128 			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
129 		}
130 	}
131 
132 	if (len <= HASH_MINBLOCKS) {
133 		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
134 			if (IV && (!CMP(c, IV))) {
135 				if ((check_crc(c, buf, len, IV)))
136 					return (DEATTACK_DETECTED);
137 				else
138 					break;
139 			}
140 			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
141 				if (!CMP(c, d)) {
142 					if ((check_crc(c, buf, len, IV)))
143 						return (DEATTACK_DETECTED);
144 					else
145 						break;
146 				}
147 			}
148 		}
149 		return (DEATTACK_OK);
150 	}
151 	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
152 
153 	if (IV)
154 		h[HASH(IV) & (n - 1)] = HASH_IV;
155 
156 	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
157 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
158 		    i = (i + 1) & (n - 1)) {
159 			if (h[i] == HASH_IV) {
160 				if (!CMP(c, IV)) {
161 					if (check_crc(c, buf, len, IV))
162 						return (DEATTACK_DETECTED);
163 					else
164 						break;
165 				}
166 			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
167 				if (++same > MAX_IDENTICAL)
168 					return (DEATTACK_DOS_DETECTED);
169 				if (check_crc(c, buf, len, IV))
170 					return (DEATTACK_DETECTED);
171 				else
172 					break;
173 			}
174 		}
175 		h[i] = j;
176 	}
177 	return (DEATTACK_OK);
178 }
179