deattack.c revision 3102:44397adb0751 
1168404Spjd/*
2168404Spjd * Cryptographic attack detector for ssh - source code
3168404Spjd *
4168404Spjd * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
5168404Spjd *
6168404Spjd * All rights reserved. Redistribution and use in source and binary
7168404Spjd * forms, with or without modification, are permitted provided that
8168404Spjd * this copyright notice is retained.
9168404Spjd *
10168404Spjd * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
11168404Spjd * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
12168404Spjd * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
13168404Spjd * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
14168404Spjd * SOFTWARE.
15168404Spjd *
16168404Spjd * Ariel Futoransky <futo@core-sdi.com>
17168404Spjd * <http://www.core-sdi.com>
18168404Spjd */
19168404Spjd
20168404Spjd#include "includes.h"
21263405SdelphijRCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $");
22168404Spjd
23205199Sdelphij#pragma ident	"%Z%%M%	%I%	%E% SMI"
24168404Spjd
25307053Smav#include "deattack.h"
26263405Sdelphij#include "log.h"
27168404Spjd#include "crc32.h"
28168404Spjd#include "getput.h"
29168404Spjd#include "xmalloc.h"
30168404Spjd#include "deattack.h"
31168404Spjd
32168404Spjd/*
33168404Spjd * CRC attack detection has a worst-case behaviour that is O(N^2) over
34168404Spjd * the number of identical blocks in a packet. This behaviour can be
35168404Spjd * exploited to create a limited denial of service attack.
36168404Spjd *
37168404Spjd * However, because we are dealing with encrypted data, identical
38168404Spjd * blocks should only occur every 2^35 maximally-sized packets or so.
39168404Spjd * Consequently, we can detect this DoS by looking for identical blocks
40168404Spjd * in a packet.
41168404Spjd *
42168404Spjd * The parameter below determines how many identical blocks we will
43168404Spjd * accept in a single packet, trading off between attack detection and
44185029Spjd * likelihood of terminating a legitimate connection. A value of 32
45185029Spjd * corresponds to an average of 2^40 messages before an attack is
46185029Spjd * misdetected
47205199Sdelphij */
48219089Spjd#define MAX_IDENTICAL	32
49230438Spjd
50263405Sdelphij/* SSH Constants */
51185029Spjd#define SSH_MAXBLOCKS	(32 * 1024)
52185029Spjd#define SSH_BLOCKSIZE	(8)
53205199Sdelphij
54168404Spjd/* Hashing constants */
55168404Spjd#define HASH_MINSIZE	(8 * 1024)
56230438Spjd#define HASH_ENTRYSIZE	(2)
57168404Spjd#define HASH_FACTOR(x)	((x)*3/2)
58168404Spjd#define HASH_UNUSEDCHAR	(0xff)
59168404Spjd#define HASH_UNUSED	(0xffff)
60168404Spjd#define HASH_IV		(0xfffe)
61168404Spjd
62168404Spjd#define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
63
64
65/* Hash function (Input keys are cipher results) */
66#define HASH(x)		GET_32BIT(x)
67
68#define CMP(a, b)	(memcmp(a, b, SSH_BLOCKSIZE))
69
70static void
71crc_update(u_int32_t *a, u_int32_t b)
72{
73	b ^= *a;
74	*a = ssh_crc32((u_char *) &b, sizeof(b));
75}
76
77/* detect if a block is used in a particular pattern */
78static int
79check_crc(u_char *S, u_char *buf, u_int32_t len,
80	  u_char *IV)
81{
82	u_int32_t crc;
83	u_char *c;
84
85	crc = 0;
86	if (IV && !CMP(S, IV)) {
87		crc_update(&crc, 1);
88		crc_update(&crc, 0);
89	}
90	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
91		if (!CMP(S, c)) {
92			crc_update(&crc, 1);
93			crc_update(&crc, 0);
94		} else {
95			crc_update(&crc, 0);
96			crc_update(&crc, 0);
97		}
98	}
99	return (crc == 0);
100}
101
102
103/* Detect a crc32 compensation attack on a packet */
104int
105detect_attack(u_char *buf, u_int32_t len, u_char *IV)
106{
107	static u_int16_t *h = (u_int16_t *) NULL;
108	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
109	u_int32_t i, j;
110	u_int32_t l, same;
111	u_char *c;
112	u_char *d;
113
114	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
115	    len % SSH_BLOCKSIZE != 0) {
116		fatal("detect_attack: bad length %d", len);
117	}
118	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
119		;
120
121	if (h == NULL) {
122		debug("Installing crc compensation attack detector.");
123		n = l;
124		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
125	} else {
126		if (l > n) {
127			n = l;
128			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
129		}
130	}
131
132	if (len <= HASH_MINBLOCKS) {
133		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
134			if (IV && (!CMP(c, IV))) {
135				if ((check_crc(c, buf, len, IV)))
136					return (DEATTACK_DETECTED);
137				else
138					break;
139			}
140			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
141				if (!CMP(c, d)) {
142					if ((check_crc(c, buf, len, IV)))
143						return (DEATTACK_DETECTED);
144					else
145						break;
146				}
147			}
148		}
149		return (DEATTACK_OK);
150	}
151	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
152
153	if (IV)
154		h[HASH(IV) & (n - 1)] = HASH_IV;
155
156	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
157		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
158		    i = (i + 1) & (n - 1)) {
159			if (h[i] == HASH_IV) {
160				if (!CMP(c, IV)) {
161					if (check_crc(c, buf, len, IV))
162						return (DEATTACK_DETECTED);
163					else
164						break;
165				}
166			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
167				if (++same > MAX_IDENTICAL)
168					return (DEATTACK_DOS_DETECTED);
169				if (check_crc(c, buf, len, IV))
170					return (DEATTACK_DETECTED);
171				else
172					break;
173			}
174		}
175		h[i] = j;
176	}
177	return (DEATTACK_OK);
178}
179