]>
Commit | Line | Data |
---|---|---|
2e437378 | 1 | /* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */ |
3c0ef626 | 2 | /* |
3 | * Cryptographic attack detector for ssh - source code | |
4 | * | |
5 | * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. | |
6 | * | |
7 | * All rights reserved. Redistribution and use in source and binary | |
8 | * forms, with or without modification, are permitted provided that | |
9 | * this copyright notice is retained. | |
10 | * | |
11 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
12 | * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE | |
13 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR | |
14 | * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS | |
15 | * SOFTWARE. | |
16 | * | |
17 | * Ariel Futoransky <futo@core-sdi.com> | |
18 | * <http://www.core-sdi.com> | |
19 | */ | |
20 | ||
21 | #include "includes.h" | |
e9a17296 | 22 | |
2e437378 | 23 | #include <sys/types.h> |
24 | ||
25 | #include <string.h> | |
26 | #include <stdio.h> | |
27 | #include <stdarg.h> | |
28 | ||
29 | #include "xmalloc.h" | |
3c0ef626 | 30 | #include "deattack.h" |
31 | #include "log.h" | |
32 | #include "crc32.h" | |
2e437378 | 33 | #include "misc.h" |
34 | ||
35 | /* | |
36 | * CRC attack detection has a worst-case behaviour that is O(N^3) over | |
37 | * the number of identical blocks in a packet. This behaviour can be | |
38 | * exploited to create a limited denial of service attack. | |
39 | * | |
40 | * However, because we are dealing with encrypted data, identical | |
41 | * blocks should only occur every 2^35 maximally-sized packets or so. | |
42 | * Consequently, we can detect this DoS by looking for identical blocks | |
43 | * in a packet. | |
44 | * | |
45 | * The parameter below determines how many identical blocks we will | |
46 | * accept in a single packet, trading off between attack detection and | |
47 | * likelihood of terminating a legitimate connection. A value of 32 | |
48 | * corresponds to an average of 2^40 messages before an attack is | |
49 | * misdetected | |
50 | */ | |
51 | #define MAX_IDENTICAL 32 | |
3c0ef626 | 52 | |
53 | /* SSH Constants */ | |
54 | #define SSH_MAXBLOCKS (32 * 1024) | |
55 | #define SSH_BLOCKSIZE (8) | |
56 | ||
57 | /* Hashing constants */ | |
58 | #define HASH_MINSIZE (8 * 1024) | |
59 | #define HASH_ENTRYSIZE (2) | |
60 | #define HASH_FACTOR(x) ((x)*3/2) | |
61 | #define HASH_UNUSEDCHAR (0xff) | |
62 | #define HASH_UNUSED (0xffff) | |
e9a17296 | 63 | #define HASH_IV (0xfffe) |
3c0ef626 | 64 | |
65 | #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) | |
66 | ||
67 | ||
68 | /* Hash function (Input keys are cipher results) */ | |
2e437378 | 69 | #define HASH(x) get_u32(x) |
3c0ef626 | 70 | |
71 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) | |
72 | ||
73 | static void | |
74 | crc_update(u_int32_t *a, u_int32_t b) | |
75 | { | |
76 | b ^= *a; | |
2e437378 | 77 | *a = ssh_crc32((u_char *)&b, sizeof(b)); |
3c0ef626 | 78 | } |
79 | ||
80 | /* detect if a block is used in a particular pattern */ | |
81 | static int | |
2e437378 | 82 | check_crc(u_char *S, u_char *buf, u_int32_t len) |
3c0ef626 | 83 | { |
84 | u_int32_t crc; | |
85 | u_char *c; | |
86 | ||
87 | crc = 0; | |
3c0ef626 | 88 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
89 | if (!CMP(S, c)) { | |
90 | crc_update(&crc, 1); | |
91 | crc_update(&crc, 0); | |
92 | } else { | |
93 | crc_update(&crc, 0); | |
94 | crc_update(&crc, 0); | |
95 | } | |
96 | } | |
97 | return (crc == 0); | |
98 | } | |
99 | ||
100 | ||
101 | /* Detect a crc32 compensation attack on a packet */ | |
102 | int | |
2e437378 | 103 | detect_attack(u_char *buf, u_int32_t len) |
3c0ef626 | 104 | { |
105 | static u_int16_t *h = (u_int16_t *) NULL; | |
106 | static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; | |
e9a17296 | 107 | u_int32_t i, j; |
2e437378 | 108 | u_int32_t l, same; |
e9a17296 | 109 | u_char *c; |
3c0ef626 | 110 | u_char *d; |
111 | ||
112 | if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || | |
113 | len % SSH_BLOCKSIZE != 0) { | |
114 | fatal("detect_attack: bad length %d", len); | |
115 | } | |
116 | for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) | |
117 | ; | |
118 | ||
119 | if (h == NULL) { | |
120 | debug("Installing crc compensation attack detector."); | |
2e437378 | 121 | h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE); |
3c0ef626 | 122 | n = l; |
3c0ef626 | 123 | } else { |
124 | if (l > n) { | |
2e437378 | 125 | h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); |
3c0ef626 | 126 | n = l; |
3c0ef626 | 127 | } |
128 | } | |
129 | ||
130 | if (len <= HASH_MINBLOCKS) { | |
131 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { | |
3c0ef626 | 132 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
133 | if (!CMP(c, d)) { | |
2e437378 | 134 | if ((check_crc(c, buf, len))) |
3c0ef626 | 135 | return (DEATTACK_DETECTED); |
136 | else | |
137 | break; | |
138 | } | |
139 | } | |
140 | } | |
141 | return (DEATTACK_OK); | |
142 | } | |
143 | memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); | |
144 | ||
2e437378 | 145 | for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
3c0ef626 | 146 | for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; |
e9a17296 | 147 | i = (i + 1) & (n - 1)) { |
2e437378 | 148 | if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { |
149 | if (++same > MAX_IDENTICAL) | |
150 | return (DEATTACK_DOS_DETECTED); | |
151 | if (check_crc(c, buf, len)) | |
3c0ef626 | 152 | return (DEATTACK_DETECTED); |
153 | else | |
154 | break; | |
155 | } | |
156 | } | |
157 | h[i] = j; | |
158 | } | |
159 | return (DEATTACK_OK); | |
160 | } |