| deattack.c (124208) | deattack.c (162852) |
|---|---|
| 1/* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */ |
|
| 1/* 2 * Cryptographic attack detector for ssh - source code 3 * 4 * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. 5 * 6 * All rights reserved. Redistribution and use in source and binary 7 * forms, with or without modification, are permitted provided that 8 * this copyright notice is retained. --- 4 unchanged lines hidden (view full) --- 13 * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS 14 * SOFTWARE. 15 * 16 * Ariel Futoransky <futo@core-sdi.com> 17 * <http://www.core-sdi.com> 18 */ 19 20#include "includes.h" | 2/* 3 * Cryptographic attack detector for ssh - source code 4 * 5 * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. 6 * 7 * All rights reserved. Redistribution and use in source and binary 8 * forms, with or without modification, are permitted provided that 9 * this copyright notice is retained. --- 4 unchanged lines hidden (view full) --- 14 * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS 15 * SOFTWARE. 16 * 17 * Ariel Futoransky <futo@core-sdi.com> 18 * <http://www.core-sdi.com> 19 */ 20 21#include "includes.h" |
| 21RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $"); | |
| 22 | 22 |
| 23#include <sys/types.h> 24 25#include <string.h> 26#include <stdio.h> 27#include <stdarg.h> 28 29#include "xmalloc.h" |
|
| 23#include "deattack.h" 24#include "log.h" 25#include "crc32.h" | 30#include "deattack.h" 31#include "log.h" 32#include "crc32.h" |
| 26#include "getput.h" 27#include "xmalloc.h" 28#include "deattack.h" | 33#include "misc.h" |
| 29 | 34 |
| 35/* 36 * CRC attack detection has a worst-case behaviour that is O(N^3) over 37 * the number of identical blocks in a packet. This behaviour can be 38 * exploited to create a limited denial of service attack. 39 * 40 * However, because we are dealing with encrypted data, identical 41 * blocks should only occur every 2^35 maximally-sized packets or so. 42 * Consequently, we can detect this DoS by looking for identical blocks 43 * in a packet. 44 * 45 * The parameter below determines how many identical blocks we will 46 * accept in a single packet, trading off between attack detection and 47 * likelihood of terminating a legitimate connection. A value of 32 48 * corresponds to an average of 2^40 messages before an attack is 49 * misdetected 50 */ 51#define MAX_IDENTICAL 32 52 |
|
| 30/* SSH Constants */ 31#define SSH_MAXBLOCKS (32 * 1024) 32#define SSH_BLOCKSIZE (8) 33 34/* Hashing constants */ 35#define HASH_MINSIZE (8 * 1024) 36#define HASH_ENTRYSIZE (2) 37#define HASH_FACTOR(x) ((x)*3/2) 38#define HASH_UNUSEDCHAR (0xff) 39#define HASH_UNUSED (0xffff) 40#define HASH_IV (0xfffe) 41 42#define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) 43 44 45/* Hash function (Input keys are cipher results) */ | 53/* SSH Constants */ 54#define SSH_MAXBLOCKS (32 * 1024) 55#define SSH_BLOCKSIZE (8) 56 57/* Hashing constants */ 58#define HASH_MINSIZE (8 * 1024) 59#define HASH_ENTRYSIZE (2) 60#define HASH_FACTOR(x) ((x)*3/2) 61#define HASH_UNUSEDCHAR (0xff) 62#define HASH_UNUSED (0xffff) 63#define HASH_IV (0xfffe) 64 65#define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) 66 67 68/* Hash function (Input keys are cipher results) */ |
| 46#define HASH(x) GET_32BIT(x) | 69#define HASH(x) get_u32(x) |
| 47 48#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) 49 50static void 51crc_update(u_int32_t *a, u_int32_t b) 52{ 53 b ^= *a; | 70 71#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) 72 73static void 74crc_update(u_int32_t *a, u_int32_t b) 75{ 76 b ^= *a; |
| 54 *a = ssh_crc32((u_char *) &b, sizeof(b)); | 77 *a = ssh_crc32((u_char *)&b, sizeof(b)); |
| 55} 56 57/* detect if a block is used in a particular pattern */ 58static int | 78} 79 80/* detect if a block is used in a particular pattern */ 81static int |
| 59check_crc(u_char *S, u_char *buf, u_int32_t len, 60 u_char *IV) | 82check_crc(u_char *S, u_char *buf, u_int32_t len) |
| 61{ 62 u_int32_t crc; 63 u_char *c; 64 65 crc = 0; | 83{ 84 u_int32_t crc; 85 u_char *c; 86 87 crc = 0; |
| 66 if (IV && !CMP(S, IV)) { 67 crc_update(&crc, 1); 68 crc_update(&crc, 0); 69 } | |
| 70 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { 71 if (!CMP(S, c)) { 72 crc_update(&crc, 1); 73 crc_update(&crc, 0); 74 } else { 75 crc_update(&crc, 0); 76 crc_update(&crc, 0); 77 } 78 } 79 return (crc == 0); 80} 81 82 83/* Detect a crc32 compensation attack on a packet */ 84int | 88 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { 89 if (!CMP(S, c)) { 90 crc_update(&crc, 1); 91 crc_update(&crc, 0); 92 } else { 93 crc_update(&crc, 0); 94 crc_update(&crc, 0); 95 } 96 } 97 return (crc == 0); 98} 99 100 101/* Detect a crc32 compensation attack on a packet */ 102int |
| 85detect_attack(u_char *buf, u_int32_t len, u_char *IV) | 103detect_attack(u_char *buf, u_int32_t len) |
| 86{ 87 static u_int16_t *h = (u_int16_t *) NULL; 88 static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; 89 u_int32_t i, j; | 104{ 105 static u_int16_t *h = (u_int16_t *) NULL; 106 static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; 107 u_int32_t i, j; |
| 90 u_int32_t l; | 108 u_int32_t l, same; |
| 91 u_char *c; 92 u_char *d; 93 94 if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || 95 len % SSH_BLOCKSIZE != 0) { 96 fatal("detect_attack: bad length %d", len); 97 } 98 for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) 99 ; 100 101 if (h == NULL) { 102 debug("Installing crc compensation attack detector."); | 109 u_char *c; 110 u_char *d; 111 112 if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || 113 len % SSH_BLOCKSIZE != 0) { 114 fatal("detect_attack: bad length %d", len); 115 } 116 for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) 117 ; 118 119 if (h == NULL) { 120 debug("Installing crc compensation attack detector."); |
| 103 h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); | 121 h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE); |
| 104 n = l; 105 } else { 106 if (l > n) { | 122 n = l; 123 } else { 124 if (l > n) { |
| 107 h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); | 125 h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); |
| 108 n = l; 109 } 110 } 111 112 if (len <= HASH_MINBLOCKS) { 113 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { | 126 n = l; 127 } 128 } 129 130 if (len <= HASH_MINBLOCKS) { 131 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
| 114 if (IV && (!CMP(c, IV))) { 115 if ((check_crc(c, buf, len, IV))) 116 return (DEATTACK_DETECTED); 117 else 118 break; 119 } | |
| 120 for (d = buf; d < c; d += SSH_BLOCKSIZE) { 121 if (!CMP(c, d)) { | 132 for (d = buf; d < c; d += SSH_BLOCKSIZE) { 133 if (!CMP(c, d)) { |
| 122 if ((check_crc(c, buf, len, IV))) | 134 if ((check_crc(c, buf, len))) |
| 123 return (DEATTACK_DETECTED); 124 else 125 break; 126 } 127 } 128 } 129 return (DEATTACK_OK); 130 } 131 memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); 132 | 135 return (DEATTACK_DETECTED); 136 else 137 break; 138 } 139 } 140 } 141 return (DEATTACK_OK); 142 } 143 memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); 144 |
| 133 if (IV) 134 h[HASH(IV) & (n - 1)] = HASH_IV; 135 136 for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { | 145 for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
| 137 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; 138 i = (i + 1) & (n - 1)) { | 146 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; 147 i = (i + 1) & (n - 1)) { |
| 139 if (h[i] == HASH_IV) { 140 if (!CMP(c, IV)) { 141 if (check_crc(c, buf, len, IV)) 142 return (DEATTACK_DETECTED); 143 else 144 break; 145 } 146 } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { 147 if (check_crc(c, buf, len, IV)) | 148 if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { 149 if (++same > MAX_IDENTICAL) 150 return (DEATTACK_DOS_DETECTED); 151 if (check_crc(c, buf, len)) |
| 148 return (DEATTACK_DETECTED); 149 else 150 break; 151 } 152 } 153 h[i] = j; 154 } 155 return (DEATTACK_OK); 156} | 152 return (DEATTACK_DETECTED); 153 else 154 break; 155 } 156 } 157 h[i] = j; 158 } 159 return (DEATTACK_OK); 160} |