Home | History | Annotate | Download | only in common
      1 /*
      2  * Cryptographic attack detector for ssh - source code
      3  *
      4  * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
      5  *
      6  * All rights reserved. Redistribution and use in source and binary
      7  * forms, with or without modification, are permitted provided that
      8  * this copyright notice is retained.
      9  *
     10  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
     11  * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
     12  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
     13  * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
     14  * SOFTWARE.
     15  *
     16  * Ariel Futoransky <futo (at) core-sdi.com>
     17  * <http://www.core-sdi.com>
     18  */
     19 
     20 #include "includes.h"
     21 RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $");
     22 
     23 #pragma ident	"%Z%%M%	%I%	%E% SMI"
     24 
     25 #include "deattack.h"
     26 #include "log.h"
     27 #include "crc32.h"
     28 #include "getput.h"
     29 #include "xmalloc.h"
     30 #include "deattack.h"
     31 
     32 /*
     33  * CRC attack detection has a worst-case behaviour that is O(N^2) over
     34  * the number of identical blocks in a packet. This behaviour can be
     35  * exploited to create a limited denial of service attack.
     36  *
     37  * However, because we are dealing with encrypted data, identical
     38  * blocks should only occur every 2^35 maximally-sized packets or so.
     39  * Consequently, we can detect this DoS by looking for identical blocks
     40  * in a packet.
     41  *
     42  * The parameter below determines how many identical blocks we will
     43  * accept in a single packet, trading off between attack detection and
     44  * likelihood of terminating a legitimate connection. A value of 32
     45  * corresponds to an average of 2^40 messages before an attack is
     46  * misdetected
     47  */
     48 #define MAX_IDENTICAL	32
     49 
     50 /* SSH Constants */
     51 #define SSH_MAXBLOCKS	(32 * 1024)
     52 #define SSH_BLOCKSIZE	(8)
     53 
     54 /* Hashing constants */
     55 #define HASH_MINSIZE	(8 * 1024)
     56 #define HASH_ENTRYSIZE	(2)
     57 #define HASH_FACTOR(x)	((x)*3/2)
     58 #define HASH_UNUSEDCHAR	(0xff)
     59 #define HASH_UNUSED	(0xffff)
     60 #define HASH_IV		(0xfffe)
     61 
     62 #define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
     63 
     64 
     65 /* Hash function (Input keys are cipher results) */
     66 #define HASH(x)		GET_32BIT(x)
     67 
     68 #define CMP(a, b)	(memcmp(a, b, SSH_BLOCKSIZE))
     69 
     70 static void
     71 crc_update(u_int32_t *a, u_int32_t b)
     72 {
     73 	b ^= *a;
     74 	*a = ssh_crc32((u_char *) &b, sizeof(b));
     75 }
     76 
     77 /* detect if a block is used in a particular pattern */
     78 static int
     79 check_crc(u_char *S, u_char *buf, u_int32_t len,
     80 	  u_char *IV)
     81 {
     82 	u_int32_t crc;
     83 	u_char *c;
     84 
     85 	crc = 0;
     86 	if (IV && !CMP(S, IV)) {
     87 		crc_update(&crc, 1);
     88 		crc_update(&crc, 0);
     89 	}
     90 	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
     91 		if (!CMP(S, c)) {
     92 			crc_update(&crc, 1);
     93 			crc_update(&crc, 0);
     94 		} else {
     95 			crc_update(&crc, 0);
     96 			crc_update(&crc, 0);
     97 		}
     98 	}
     99 	return (crc == 0);
    100 }
    101 
    102 
    103 /* Detect a crc32 compensation attack on a packet */
    104 int
    105 detect_attack(u_char *buf, u_int32_t len, u_char *IV)
    106 {
    107 	static u_int16_t *h = (u_int16_t *) NULL;
    108 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
    109 	u_int32_t i, j;
    110 	u_int32_t l, same;
    111 	u_char *c;
    112 	u_char *d;
    113 
    114 	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
    115 	    len % SSH_BLOCKSIZE != 0) {
    116 		fatal("detect_attack: bad length %d", len);
    117 	}
    118 	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
    119 		;
    120 
    121 	if (h == NULL) {
    122 		debug("Installing crc compensation attack detector.");
    123 		n = l;
    124 		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
    125 	} else {
    126 		if (l > n) {
    127 			n = l;
    128 			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
    129 		}
    130 	}
    131 
    132 	if (len <= HASH_MINBLOCKS) {
    133 		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
    134 			if (IV && (!CMP(c, IV))) {
    135 				if ((check_crc(c, buf, len, IV)))
    136 					return (DEATTACK_DETECTED);
    137 				else
    138 					break;
    139 			}
    140 			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
    141 				if (!CMP(c, d)) {
    142 					if ((check_crc(c, buf, len, IV)))
    143 						return (DEATTACK_DETECTED);
    144 					else
    145 						break;
    146 				}
    147 			}
    148 		}
    149 		return (DEATTACK_OK);
    150 	}
    151 	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
    152 
    153 	if (IV)
    154 		h[HASH(IV) & (n - 1)] = HASH_IV;
    155 
    156 	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
    157 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
    158 		    i = (i + 1) & (n - 1)) {
    159 			if (h[i] == HASH_IV) {
    160 				if (!CMP(c, IV)) {
    161 					if (check_crc(c, buf, len, IV))
    162 						return (DEATTACK_DETECTED);
    163 					else
    164 						break;
    165 				}
    166 			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
    167 				if (++same > MAX_IDENTICAL)
    168 					return (DEATTACK_DOS_DETECTED);
    169 				if (check_crc(c, buf, len, IV))
    170 					return (DEATTACK_DETECTED);
    171 				else
    172 					break;
    173 			}
    174 		}
    175 		h[i] = j;
    176 	}
    177 	return (DEATTACK_OK);
    178 }
    179