]>
Commit | Line | Data |
---|---|---|
f0d0e025 | 1 | /* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */ |
8efc0c15 | 2 | /* |
8efc0c15 | 3 | * Cryptographic attack detector for ssh - source code |
4 | * | |
5 | * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. | |
6 | * | |
7 | * All rights reserved. Redistribution and use in source and binary | |
8 | * forms, with or without modification, are permitted provided that | |
9 | * this copyright notice is retained. | |
10 | * | |
11 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
12 | * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE | |
13 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR | |
14 | * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS | |
15 | * SOFTWARE. | |
16 | * | |
17 | * Ariel Futoransky <futo@core-sdi.com> | |
5260325f | 18 | * <http://www.core-sdi.com> |
19 | */ | |
8efc0c15 | 20 | |
21 | #include "includes.h" | |
93c3b6de | 22 | |
31652869 | 23 | #include <sys/types.h> |
24 | ||
00146caa | 25 | #include <string.h> |
31652869 | 26 | #include <stdio.h> |
27 | #include <stdarg.h> | |
00146caa | 28 | |
31652869 | 29 | #include "xmalloc.h" |
8efc0c15 | 30 | #include "deattack.h" |
42f11eb2 | 31 | #include "log.h" |
8efc0c15 | 32 | #include "crc32.h" |
51e7a012 | 33 | #include "misc.h" |
8efc0c15 | 34 | |
f0d0e025 | 35 | /* |
36 | * CRC attack detection has a worst-case behaviour that is O(N^3) over | |
37 | * the number of identical blocks in a packet. This behaviour can be | |
38 | * exploited to create a limited denial of service attack. | |
39 | * | |
40 | * However, because we are dealing with encrypted data, identical | |
41 | * blocks should only occur every 2^35 maximally-sized packets or so. | |
42 | * Consequently, we can detect this DoS by looking for identical blocks | |
43 | * in a packet. | |
44 | * | |
45 | * The parameter below determines how many identical blocks we will | |
46 | * accept in a single packet, trading off between attack detection and | |
47 | * likelihood of terminating a legitimate connection. A value of 32 | |
48 | * corresponds to an average of 2^40 messages before an attack is | |
49 | * misdetected | |
50 | */ | |
51 | #define MAX_IDENTICAL 32 | |
52 | ||
8efc0c15 | 53 | /* SSH Constants */ |
5260325f | 54 | #define SSH_MAXBLOCKS (32 * 1024) |
55 | #define SSH_BLOCKSIZE (8) | |
8efc0c15 | 56 | |
57 | /* Hashing constants */ | |
5260325f | 58 | #define HASH_MINSIZE (8 * 1024) |
59 | #define HASH_ENTRYSIZE (2) | |
60 | #define HASH_FACTOR(x) ((x)*3/2) | |
61 | #define HASH_UNUSEDCHAR (0xff) | |
62 | #define HASH_UNUSED (0xffff) | |
184eed6a | 63 | #define HASH_IV (0xfffe) |
8efc0c15 | 64 | |
5260325f | 65 | #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) |
8efc0c15 | 66 | |
67 | ||
68 | /* Hash function (Input keys are cipher results) */ | |
51e7a012 | 69 | #define HASH(x) get_u32(x) |
8efc0c15 | 70 | |
12bf85ed | 71 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
8efc0c15 | 72 | |
396c147e | 73 | static void |
5260325f | 74 | crc_update(u_int32_t *a, u_int32_t b) |
8efc0c15 | 75 | { |
5260325f | 76 | b ^= *a; |
69753336 | 77 | *a = ssh_crc32((u_char *)&b, sizeof(b)); |
8efc0c15 | 78 | } |
79 | ||
5260325f | 80 | /* detect if a block is used in a particular pattern */ |
396c147e | 81 | static int |
69753336 | 82 | check_crc(u_char *S, u_char *buf, u_int32_t len) |
8efc0c15 | 83 | { |
5260325f | 84 | u_int32_t crc; |
1e3b8b07 | 85 | u_char *c; |
5260325f | 86 | |
87 | crc = 0; | |
5260325f | 88 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
89 | if (!CMP(S, c)) { | |
90 | crc_update(&crc, 1); | |
91 | crc_update(&crc, 0); | |
92 | } else { | |
93 | crc_update(&crc, 0); | |
94 | crc_update(&crc, 0); | |
95 | } | |
96 | } | |
97 | return (crc == 0); | |
8efc0c15 | 98 | } |
99 | ||
100 | ||
5260325f | 101 | /* Detect a crc32 compensation attack on a packet */ |
8efc0c15 | 102 | int |
69753336 | 103 | detect_attack(u_char *buf, u_int32_t len) |
8efc0c15 | 104 | { |
5260325f | 105 | static u_int16_t *h = (u_int16_t *) NULL; |
b850ecd9 | 106 | static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; |
44c2ab73 | 107 | u_int32_t i, j; |
f0d0e025 | 108 | u_int32_t l, same; |
44c2ab73 | 109 | u_char *c; |
1e3b8b07 | 110 | u_char *d; |
5260325f | 111 | |
112 | if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || | |
113 | len % SSH_BLOCKSIZE != 0) { | |
114 | fatal("detect_attack: bad length %d", len); | |
115 | } | |
116 | for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) | |
117 | ; | |
118 | ||
119 | if (h == NULL) { | |
120 | debug("Installing crc compensation attack detector."); | |
52e3daed | 121 | h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE); |
5260325f | 122 | n = l; |
5260325f | 123 | } else { |
124 | if (l > n) { | |
c5d10563 | 125 | h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); |
5260325f | 126 | n = l; |
5260325f | 127 | } |
128 | } | |
129 | ||
130 | if (len <= HASH_MINBLOCKS) { | |
131 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { | |
5260325f | 132 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
133 | if (!CMP(c, d)) { | |
69753336 | 134 | if ((check_crc(c, buf, len))) |
5260325f | 135 | return (DEATTACK_DETECTED); |
136 | else | |
137 | break; | |
138 | } | |
139 | } | |
140 | } | |
141 | return (DEATTACK_OK); | |
8efc0c15 | 142 | } |
5260325f | 143 | memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); |
144 | ||
f0d0e025 | 145 | for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
5260325f | 146 | for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; |
184eed6a | 147 | i = (i + 1) & (n - 1)) { |
69753336 | 148 | if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { |
f0d0e025 | 149 | if (++same > MAX_IDENTICAL) |
150 | return (DEATTACK_DOS_DETECTED); | |
69753336 | 151 | if (check_crc(c, buf, len)) |
5260325f | 152 | return (DEATTACK_DETECTED); |
153 | else | |
154 | break; | |
155 | } | |
156 | } | |
157 | h[i] = j; | |
8efc0c15 | 158 | } |
5260325f | 159 | return (DEATTACK_OK); |
8efc0c15 | 160 | } |