9a3a93a5 |
1 | /* $OpenBSD: deattack.c,v 1.14 2001/06/23 15:12:18 itojun Exp $ */ |
2 | |
3 | /* |
4 | * Cryptographic attack detector for ssh - source code |
5 | * |
6 | * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. |
7 | * |
8 | * All rights reserved. Redistribution and use in source and binary |
9 | * forms, with or without modification, are permitted provided that |
10 | * this copyright notice is retained. |
11 | * |
12 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
13 | * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE |
14 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR |
15 | * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS |
16 | * SOFTWARE. |
17 | * |
18 | * Ariel Futoransky <futo@core-sdi.com> |
19 | * <http://www.core-sdi.com> |
20 | * |
21 | * Modified for use in PuTTY by Simon Tatham |
22 | */ |
23 | |
24 | #include <assert.h> |
25 | #include "misc.h" |
26 | #include "ssh.h" |
27 | |
28 | typedef unsigned char uchar; |
29 | typedef unsigned short uint16; |
30 | |
31 | /* SSH Constants */ |
32 | #define SSH_MAXBLOCKS (32 * 1024) |
33 | #define SSH_BLOCKSIZE (8) |
34 | |
35 | /* Hashing constants */ |
36 | #define HASH_MINSIZE (8 * 1024) |
37 | #define HASH_ENTRYSIZE (sizeof(uint16)) |
38 | #define HASH_FACTOR(x) ((x)*3/2) |
39 | #define HASH_UNUSEDCHAR (0xff) |
40 | #define HASH_UNUSED (0xffff) |
41 | #define HASH_IV (0xfffe) |
42 | |
43 | #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) |
44 | |
45 | #define GET_32BIT_MSB_FIRST(cp) \ |
46 | (((unsigned long)(unsigned char)(cp)[0] << 24) | \ |
47 | ((unsigned long)(unsigned char)(cp)[1] << 16) | \ |
48 | ((unsigned long)(unsigned char)(cp)[2] << 8) | \ |
49 | ((unsigned long)(unsigned char)(cp)[3])) |
50 | |
51 | /* Hash function (Input keys are cipher results) */ |
52 | #define HASH(x) GET_32BIT_MSB_FIRST(x) |
53 | |
54 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
55 | |
56 | uchar ONE[4] = { 1, 0, 0, 0 }; |
57 | uchar ZERO[4] = { 0, 0, 0, 0 }; |
58 | |
0183b242 |
59 | struct crcda_ctx { |
60 | uint16 *h; |
61 | uint32 n; |
62 | }; |
63 | |
64 | void *crcda_make_context(void) |
65 | { |
66 | struct crcda_ctx *ret = smalloc(sizeof(struct crcda_ctx)); |
67 | ret->h = NULL; |
68 | ret->n = HASH_MINSIZE / HASH_ENTRYSIZE; |
69 | return ret; |
70 | } |
71 | |
72 | void crcda_free_context(void *handle) |
73 | { |
74 | sfree(handle); |
75 | } |
76 | |
9a3a93a5 |
77 | static void crc_update(uint32 *a, void *b) |
78 | { |
79 | *a = crc32_update(*a, b, 4); |
80 | } |
81 | |
82 | /* detect if a block is used in a particular pattern */ |
83 | static int check_crc(uchar *S, uchar *buf, uint32 len, uchar *IV) |
84 | { |
85 | uint32 crc; |
86 | uchar *c; |
87 | |
88 | crc = 0; |
89 | if (IV && !CMP(S, IV)) { |
90 | crc_update(&crc, ONE); |
91 | crc_update(&crc, ZERO); |
92 | } |
93 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
94 | if (!CMP(S, c)) { |
95 | crc_update(&crc, ONE); |
96 | crc_update(&crc, ZERO); |
97 | } else { |
98 | crc_update(&crc, ZERO); |
99 | crc_update(&crc, ZERO); |
100 | } |
101 | } |
102 | return (crc == 0); |
103 | } |
104 | |
105 | /* Detect a crc32 compensation attack on a packet */ |
0183b242 |
106 | int detect_attack(void *handle, uchar *buf, uint32 len, uchar *IV) |
9a3a93a5 |
107 | { |
0183b242 |
108 | struct crcda_ctx *ctx = (struct crcda_ctx *)handle; |
9a3a93a5 |
109 | register uint32 i, j; |
110 | uint32 l; |
111 | register uchar *c; |
112 | uchar *d; |
113 | |
114 | assert(!(len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || |
115 | len % SSH_BLOCKSIZE != 0)); |
0183b242 |
116 | for (l = ctx->n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) |
9a3a93a5 |
117 | ; |
118 | |
0183b242 |
119 | if (ctx->h == NULL) { |
120 | ctx->n = l; |
121 | ctx->h = (uint16 *) smalloc(ctx->n * HASH_ENTRYSIZE); |
9a3a93a5 |
122 | } else { |
0183b242 |
123 | if (l > ctx->n) { |
124 | ctx->n = l; |
125 | ctx->h = (uint16 *) srealloc(ctx->h, ctx->n * HASH_ENTRYSIZE); |
9a3a93a5 |
126 | } |
127 | } |
128 | |
129 | if (len <= HASH_MINBLOCKS) { |
130 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
131 | if (IV && (!CMP(c, IV))) { |
132 | if ((check_crc(c, buf, len, IV))) |
133 | return 1; /* attack detected */ |
134 | else |
135 | break; |
136 | } |
137 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
138 | if (!CMP(c, d)) { |
139 | if ((check_crc(c, buf, len, IV))) |
140 | return 1; /* attack detected */ |
141 | else |
142 | break; |
143 | } |
144 | } |
145 | } |
146 | return 0; /* ok */ |
147 | } |
0183b242 |
148 | memset(ctx->h, HASH_UNUSEDCHAR, ctx->n * HASH_ENTRYSIZE); |
9a3a93a5 |
149 | |
150 | if (IV) |
0183b242 |
151 | ctx->h[HASH(IV) & (ctx->n - 1)] = HASH_IV; |
9a3a93a5 |
152 | |
153 | for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
0183b242 |
154 | for (i = HASH(c) & (ctx->n - 1); ctx->h[i] != HASH_UNUSED; |
155 | i = (i + 1) & (ctx->n - 1)) { |
156 | if (ctx->h[i] == HASH_IV) { |
9a3a93a5 |
157 | if (!CMP(c, IV)) { |
158 | if (check_crc(c, buf, len, IV)) |
159 | return 1; /* attack detected */ |
160 | else |
161 | break; |
162 | } |
0183b242 |
163 | } else if (!CMP(c, buf + ctx->h[i] * SSH_BLOCKSIZE)) { |
9a3a93a5 |
164 | if (check_crc(c, buf, len, IV)) |
165 | return 1; /* attack detected */ |
166 | else |
167 | break; |
168 | } |
169 | } |
0183b242 |
170 | ctx->h[i] = j; |
9a3a93a5 |
171 | } |
172 | return 0; /* ok */ |
173 | } |