1 /* 2 * Cryptographic attack detector for ssh - source code 3 * 4 * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. 5 * 6 * All rights reserved. Redistribution and use in source and binary 7 * forms, with or without modification, are permitted provided that 8 * this copyright notice is retained. 9 * 10 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 11 * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE 12 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR 13 * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS 14 * SOFTWARE. 15 * 16 * Ariel Futoransky <futo@core-sdi.com> 17 * <http://www.core-sdi.com> 18 */ 19 20 #include "includes.h" 21 RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $"); 22 23 #pragma ident "%Z%%M% %I% %E% SMI" 24 25 #include "deattack.h" 26 #include "log.h" 27 #include "crc32.h" 28 #include "getput.h" 29 #include "xmalloc.h" 30 #include "deattack.h" 31 32 /* 33 * CRC attack detection has a worst-case behaviour that is O(N^2) over 34 * the number of identical blocks in a packet. This behaviour can be 35 * exploited to create a limited denial of service attack. 36 * 37 * However, because we are dealing with encrypted data, identical 38 * blocks should only occur every 2^35 maximally-sized packets or so. 39 * Consequently, we can detect this DoS by looking for identical blocks 40 * in a packet. 41 * 42 * The parameter below determines how many identical blocks we will 43 * accept in a single packet, trading off between attack detection and 44 * likelihood of terminating a legitimate connection. A value of 32 45 * corresponds to an average of 2^40 messages before an attack is 46 * misdetected 47 */ 48 #define MAX_IDENTICAL 32 49 50 /* SSH Constants */ 51 #define SSH_MAXBLOCKS (32 * 1024) 52 #define SSH_BLOCKSIZE (8) 53 54 /* Hashing constants */ 55 #define HASH_MINSIZE (8 * 1024) 56 #define HASH_ENTRYSIZE (2) 57 #define HASH_FACTOR(x) ((x)*3/2) 58 #define HASH_UNUSEDCHAR (0xff) 59 #define HASH_UNUSED (0xffff) 60 #define HASH_IV (0xfffe) 61 62 #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) 63 64 65 /* Hash function (Input keys are cipher results) */ 66 #define HASH(x) GET_32BIT(x) 67 68 #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) 69 70 static void 71 crc_update(u_int32_t *a, u_int32_t b) 72 { 73 b ^= *a; 74 *a = ssh_crc32((u_char *) &b, sizeof(b)); 75 } 76 77 /* detect if a block is used in a particular pattern */ 78 static int 79 check_crc(u_char *S, u_char *buf, u_int32_t len, 80 u_char *IV) 81 { 82 u_int32_t crc; 83 u_char *c; 84 85 crc = 0; 86 if (IV && !CMP(S, IV)) { 87 crc_update(&crc, 1); 88 crc_update(&crc, 0); 89 } 90 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { 91 if (!CMP(S, c)) { 92 crc_update(&crc, 1); 93 crc_update(&crc, 0); 94 } else { 95 crc_update(&crc, 0); 96 crc_update(&crc, 0); 97 } 98 } 99 return (crc == 0); 100 } 101 102 103 /* Detect a crc32 compensation attack on a packet */ 104 int 105 detect_attack(u_char *buf, u_int32_t len, u_char *IV) 106 { 107 static u_int16_t *h = (u_int16_t *) NULL; 108 static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; 109 u_int32_t i, j; 110 u_int32_t l, same; 111 u_char *c; 112 u_char *d; 113 114 if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || 115 len % SSH_BLOCKSIZE != 0) { 116 fatal("detect_attack: bad length %d", len); 117 } 118 for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) 119 ; 120 121 if (h == NULL) { 122 debug("Installing crc compensation attack detector."); 123 n = l; 124 h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); 125 } else { 126 if (l > n) { 127 n = l; 128 h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); 129 } 130 } 131 132 if (len <= HASH_MINBLOCKS) { 133 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { 134 if (IV && (!CMP(c, IV))) { 135 if ((check_crc(c, buf, len, IV))) 136 return (DEATTACK_DETECTED); 137 else 138 break; 139 } 140 for (d = buf; d < c; d += SSH_BLOCKSIZE) { 141 if (!CMP(c, d)) { 142 if ((check_crc(c, buf, len, IV))) 143 return (DEATTACK_DETECTED); 144 else 145 break; 146 } 147 } 148 } 149 return (DEATTACK_OK); 150 } 151 memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); 152 153 if (IV) 154 h[HASH(IV) & (n - 1)] = HASH_IV; 155 156 for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { 157 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; 158 i = (i + 1) & (n - 1)) { 159 if (h[i] == HASH_IV) { 160 if (!CMP(c, IV)) { 161 if (check_crc(c, buf, len, IV)) 162 return (DEATTACK_DETECTED); 163 else 164 break; 165 } 166 } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { 167 if (++same > MAX_IDENTICAL) 168 return (DEATTACK_DOS_DETECTED); 169 if (check_crc(c, buf, len, IV)) 170 return (DEATTACK_DETECTED); 171 else 172 break; 173 } 174 } 175 h[i] = j; 176 } 177 return (DEATTACK_OK); 178 }