xref: /titanic_50/usr/src/cmd/ssh/libssh/common/deattack.c (revision 60779adb24bbd974e68a9993a8eafd79a30ad887) 
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * Cryptographic attack detector for ssh - source code
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
57c478bd9Sstevel@tonic-gate  *
67c478bd9Sstevel@tonic-gate  * All rights reserved. Redistribution and use in source and binary
77c478bd9Sstevel@tonic-gate  * forms, with or without modification, are permitted provided that
87c478bd9Sstevel@tonic-gate  * this copyright notice is retained.
97c478bd9Sstevel@tonic-gate  *
107c478bd9Sstevel@tonic-gate  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
117c478bd9Sstevel@tonic-gate  * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
127c478bd9Sstevel@tonic-gate  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
137c478bd9Sstevel@tonic-gate  * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
147c478bd9Sstevel@tonic-gate  * SOFTWARE.
157c478bd9Sstevel@tonic-gate  *
167c478bd9Sstevel@tonic-gate  * Ariel Futoransky <futo@core-sdi.com>
177c478bd9Sstevel@tonic-gate  * <http://www.core-sdi.com>
187c478bd9Sstevel@tonic-gate  */
197c478bd9Sstevel@tonic-gate 
207c478bd9Sstevel@tonic-gate #include "includes.h"
217c478bd9Sstevel@tonic-gate RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $");
227c478bd9Sstevel@tonic-gate 
237c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
247c478bd9Sstevel@tonic-gate 
257c478bd9Sstevel@tonic-gate #include "deattack.h"
267c478bd9Sstevel@tonic-gate #include "log.h"
277c478bd9Sstevel@tonic-gate #include "crc32.h"
287c478bd9Sstevel@tonic-gate #include "getput.h"
297c478bd9Sstevel@tonic-gate #include "xmalloc.h"
307c478bd9Sstevel@tonic-gate #include "deattack.h"
317c478bd9Sstevel@tonic-gate 
32*60779adbSjp161948 /*
33*60779adbSjp161948  * CRC attack detection has a worst-case behaviour that is O(N^2) over
34*60779adbSjp161948  * the number of identical blocks in a packet. This behaviour can be
35*60779adbSjp161948  * exploited to create a limited denial of service attack.
36*60779adbSjp161948  *
37*60779adbSjp161948  * However, because we are dealing with encrypted data, identical
38*60779adbSjp161948  * blocks should only occur every 2^35 maximally-sized packets or so.
39*60779adbSjp161948  * Consequently, we can detect this DoS by looking for identical blocks
40*60779adbSjp161948  * in a packet.
41*60779adbSjp161948  *
42*60779adbSjp161948  * The parameter below determines how many identical blocks we will
43*60779adbSjp161948  * accept in a single packet, trading off between attack detection and
44*60779adbSjp161948  * likelihood of terminating a legitimate connection. A value of 32
45*60779adbSjp161948  * corresponds to an average of 2^40 messages before an attack is
46*60779adbSjp161948  * misdetected
47*60779adbSjp161948  */
48*60779adbSjp161948 #define MAX_IDENTICAL	32
49*60779adbSjp161948 
507c478bd9Sstevel@tonic-gate /* SSH Constants */
517c478bd9Sstevel@tonic-gate #define SSH_MAXBLOCKS	(32 * 1024)
527c478bd9Sstevel@tonic-gate #define SSH_BLOCKSIZE	(8)
537c478bd9Sstevel@tonic-gate 
547c478bd9Sstevel@tonic-gate /* Hashing constants */
557c478bd9Sstevel@tonic-gate #define HASH_MINSIZE	(8 * 1024)
567c478bd9Sstevel@tonic-gate #define HASH_ENTRYSIZE	(2)
577c478bd9Sstevel@tonic-gate #define HASH_FACTOR(x)	((x)*3/2)
587c478bd9Sstevel@tonic-gate #define HASH_UNUSEDCHAR	(0xff)
597c478bd9Sstevel@tonic-gate #define HASH_UNUSED	(0xffff)
607c478bd9Sstevel@tonic-gate #define HASH_IV		(0xfffe)
617c478bd9Sstevel@tonic-gate 
627c478bd9Sstevel@tonic-gate #define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
637c478bd9Sstevel@tonic-gate 
647c478bd9Sstevel@tonic-gate 
657c478bd9Sstevel@tonic-gate /* Hash function (Input keys are cipher results) */
667c478bd9Sstevel@tonic-gate #define HASH(x)		GET_32BIT(x)
677c478bd9Sstevel@tonic-gate 
687c478bd9Sstevel@tonic-gate #define CMP(a, b)	(memcmp(a, b, SSH_BLOCKSIZE))
697c478bd9Sstevel@tonic-gate 
707c478bd9Sstevel@tonic-gate static void
crc_update(u_int32_t * a,u_int32_t b)717c478bd9Sstevel@tonic-gate crc_update(u_int32_t *a, u_int32_t b)
727c478bd9Sstevel@tonic-gate {
737c478bd9Sstevel@tonic-gate 	b ^= *a;
747c478bd9Sstevel@tonic-gate 	*a = ssh_crc32((u_char *) &b, sizeof(b));
757c478bd9Sstevel@tonic-gate }
767c478bd9Sstevel@tonic-gate 
777c478bd9Sstevel@tonic-gate /* detect if a block is used in a particular pattern */
787c478bd9Sstevel@tonic-gate static int
check_crc(u_char * S,u_char * buf,u_int32_t len,u_char * IV)797c478bd9Sstevel@tonic-gate check_crc(u_char *S, u_char *buf, u_int32_t len,
807c478bd9Sstevel@tonic-gate 	  u_char *IV)
817c478bd9Sstevel@tonic-gate {
827c478bd9Sstevel@tonic-gate 	u_int32_t crc;
837c478bd9Sstevel@tonic-gate 	u_char *c;
847c478bd9Sstevel@tonic-gate 
857c478bd9Sstevel@tonic-gate 	crc = 0;
867c478bd9Sstevel@tonic-gate 	if (IV && !CMP(S, IV)) {
877c478bd9Sstevel@tonic-gate 		crc_update(&crc, 1);
887c478bd9Sstevel@tonic-gate 		crc_update(&crc, 0);
897c478bd9Sstevel@tonic-gate 	}
907c478bd9Sstevel@tonic-gate 	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
917c478bd9Sstevel@tonic-gate 		if (!CMP(S, c)) {
927c478bd9Sstevel@tonic-gate 			crc_update(&crc, 1);
937c478bd9Sstevel@tonic-gate 			crc_update(&crc, 0);
947c478bd9Sstevel@tonic-gate 		} else {
957c478bd9Sstevel@tonic-gate 			crc_update(&crc, 0);
967c478bd9Sstevel@tonic-gate 			crc_update(&crc, 0);
977c478bd9Sstevel@tonic-gate 		}
987c478bd9Sstevel@tonic-gate 	}
997c478bd9Sstevel@tonic-gate 	return (crc == 0);
1007c478bd9Sstevel@tonic-gate }
1017c478bd9Sstevel@tonic-gate 
1027c478bd9Sstevel@tonic-gate 
1037c478bd9Sstevel@tonic-gate /* Detect a crc32 compensation attack on a packet */
1047c478bd9Sstevel@tonic-gate int
detect_attack(u_char * buf,u_int32_t len,u_char * IV)1057c478bd9Sstevel@tonic-gate detect_attack(u_char *buf, u_int32_t len, u_char *IV)
1067c478bd9Sstevel@tonic-gate {
1077c478bd9Sstevel@tonic-gate 	static u_int16_t *h = (u_int16_t *) NULL;
1087c478bd9Sstevel@tonic-gate 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
1097c478bd9Sstevel@tonic-gate 	u_int32_t i, j;
110*60779adbSjp161948 	u_int32_t l, same;
1117c478bd9Sstevel@tonic-gate 	u_char *c;
1127c478bd9Sstevel@tonic-gate 	u_char *d;
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate 	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
1157c478bd9Sstevel@tonic-gate 	    len % SSH_BLOCKSIZE != 0) {
1167c478bd9Sstevel@tonic-gate 		fatal("detect_attack: bad length %d", len);
1177c478bd9Sstevel@tonic-gate 	}
1187c478bd9Sstevel@tonic-gate 	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
1197c478bd9Sstevel@tonic-gate 		;
1207c478bd9Sstevel@tonic-gate 
1217c478bd9Sstevel@tonic-gate 	if (h == NULL) {
1227c478bd9Sstevel@tonic-gate 		debug("Installing crc compensation attack detector.");
1237c478bd9Sstevel@tonic-gate 		n = l;
1247c478bd9Sstevel@tonic-gate 		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
1257c478bd9Sstevel@tonic-gate 	} else {
1267c478bd9Sstevel@tonic-gate 		if (l > n) {
1277c478bd9Sstevel@tonic-gate 			n = l;
1287c478bd9Sstevel@tonic-gate 			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
1297c478bd9Sstevel@tonic-gate 		}
1307c478bd9Sstevel@tonic-gate 	}
1317c478bd9Sstevel@tonic-gate 
1327c478bd9Sstevel@tonic-gate 	if (len <= HASH_MINBLOCKS) {
1337c478bd9Sstevel@tonic-gate 		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
1347c478bd9Sstevel@tonic-gate 			if (IV && (!CMP(c, IV))) {
1357c478bd9Sstevel@tonic-gate 				if ((check_crc(c, buf, len, IV)))
1367c478bd9Sstevel@tonic-gate 					return (DEATTACK_DETECTED);
1377c478bd9Sstevel@tonic-gate 				else
1387c478bd9Sstevel@tonic-gate 					break;
1397c478bd9Sstevel@tonic-gate 			}
1407c478bd9Sstevel@tonic-gate 			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
1417c478bd9Sstevel@tonic-gate 				if (!CMP(c, d)) {
1427c478bd9Sstevel@tonic-gate 					if ((check_crc(c, buf, len, IV)))
1437c478bd9Sstevel@tonic-gate 						return (DEATTACK_DETECTED);
1447c478bd9Sstevel@tonic-gate 					else
1457c478bd9Sstevel@tonic-gate 						break;
1467c478bd9Sstevel@tonic-gate 				}
1477c478bd9Sstevel@tonic-gate 			}
1487c478bd9Sstevel@tonic-gate 		}
1497c478bd9Sstevel@tonic-gate 		return (DEATTACK_OK);
1507c478bd9Sstevel@tonic-gate 	}
1517c478bd9Sstevel@tonic-gate 	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
1527c478bd9Sstevel@tonic-gate 
1537c478bd9Sstevel@tonic-gate 	if (IV)
1547c478bd9Sstevel@tonic-gate 		h[HASH(IV) & (n - 1)] = HASH_IV;
1557c478bd9Sstevel@tonic-gate 
156*60779adbSjp161948 	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
1577c478bd9Sstevel@tonic-gate 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
1587c478bd9Sstevel@tonic-gate 		    i = (i + 1) & (n - 1)) {
1597c478bd9Sstevel@tonic-gate 			if (h[i] == HASH_IV) {
1607c478bd9Sstevel@tonic-gate 				if (!CMP(c, IV)) {
1617c478bd9Sstevel@tonic-gate 					if (check_crc(c, buf, len, IV))
1627c478bd9Sstevel@tonic-gate 						return (DEATTACK_DETECTED);
1637c478bd9Sstevel@tonic-gate 					else
1647c478bd9Sstevel@tonic-gate 						break;
1657c478bd9Sstevel@tonic-gate 				}
1667c478bd9Sstevel@tonic-gate 			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
167*60779adbSjp161948 				if (++same > MAX_IDENTICAL)
168*60779adbSjp161948 					return (DEATTACK_DOS_DETECTED);
1697c478bd9Sstevel@tonic-gate 				if (check_crc(c, buf, len, IV))
1707c478bd9Sstevel@tonic-gate 					return (DEATTACK_DETECTED);
1717c478bd9Sstevel@tonic-gate 				else
1727c478bd9Sstevel@tonic-gate 					break;
1737c478bd9Sstevel@tonic-gate 			}
1747c478bd9Sstevel@tonic-gate 		}
1757c478bd9Sstevel@tonic-gate 		h[i] = j;
1767c478bd9Sstevel@tonic-gate 	}
1777c478bd9Sstevel@tonic-gate 	return (DEATTACK_OK);
1787c478bd9Sstevel@tonic-gate }
179