9a3a93a5 |
1 | /* $OpenBSD: deattack.c,v 1.14 2001/06/23 15:12:18 itojun Exp $ */ |
2 | |
3 | /* |
4 | * Cryptographic attack detector for ssh - source code |
5 | * |
6 | * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. |
7 | * |
8 | * All rights reserved. Redistribution and use in source and binary |
9 | * forms, with or without modification, are permitted provided that |
10 | * this copyright notice is retained. |
11 | * |
12 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
13 | * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE |
14 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR |
15 | * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS |
16 | * SOFTWARE. |
17 | * |
18 | * Ariel Futoransky <futo@core-sdi.com> |
19 | * <http://www.core-sdi.com> |
20 | * |
21 | * Modified for use in PuTTY by Simon Tatham |
22 | */ |
23 | |
24 | #include <assert.h> |
25 | #include "misc.h" |
26 | #include "ssh.h" |
27 | |
28 | typedef unsigned char uchar; |
29 | typedef unsigned short uint16; |
30 | |
31 | /* SSH Constants */ |
32 | #define SSH_MAXBLOCKS (32 * 1024) |
33 | #define SSH_BLOCKSIZE (8) |
34 | |
35 | /* Hashing constants */ |
36 | #define HASH_MINSIZE (8 * 1024) |
37 | #define HASH_ENTRYSIZE (sizeof(uint16)) |
38 | #define HASH_FACTOR(x) ((x)*3/2) |
39 | #define HASH_UNUSEDCHAR (0xff) |
40 | #define HASH_UNUSED (0xffff) |
41 | #define HASH_IV (0xfffe) |
42 | |
43 | #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) |
44 | |
45 | #define GET_32BIT_MSB_FIRST(cp) \ |
46 | (((unsigned long)(unsigned char)(cp)[0] << 24) | \ |
47 | ((unsigned long)(unsigned char)(cp)[1] << 16) | \ |
48 | ((unsigned long)(unsigned char)(cp)[2] << 8) | \ |
49 | ((unsigned long)(unsigned char)(cp)[3])) |
50 | |
51 | /* Hash function (Input keys are cipher results) */ |
52 | #define HASH(x) GET_32BIT_MSB_FIRST(x) |
53 | |
54 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
55 | |
56 | uchar ONE[4] = { 1, 0, 0, 0 }; |
57 | uchar ZERO[4] = { 0, 0, 0, 0 }; |
58 | |
0183b242 |
59 | struct crcda_ctx { |
60 | uint16 *h; |
61 | uint32 n; |
62 | }; |
63 | |
64 | void *crcda_make_context(void) |
65 | { |
3d88e64d |
66 | struct crcda_ctx *ret = snew(struct crcda_ctx); |
0183b242 |
67 | ret->h = NULL; |
68 | ret->n = HASH_MINSIZE / HASH_ENTRYSIZE; |
69 | return ret; |
70 | } |
71 | |
72 | void crcda_free_context(void *handle) |
73 | { |
679539d7 |
74 | struct crcda_ctx *ctx = (struct crcda_ctx *)handle; |
75 | if (ctx) { |
76 | sfree(ctx->h); |
77 | ctx->h = NULL; |
78 | sfree(ctx); |
79 | } |
0183b242 |
80 | } |
81 | |
9a3a93a5 |
82 | static void crc_update(uint32 *a, void *b) |
83 | { |
84 | *a = crc32_update(*a, b, 4); |
85 | } |
86 | |
87 | /* detect if a block is used in a particular pattern */ |
88 | static int check_crc(uchar *S, uchar *buf, uint32 len, uchar *IV) |
89 | { |
90 | uint32 crc; |
91 | uchar *c; |
92 | |
93 | crc = 0; |
94 | if (IV && !CMP(S, IV)) { |
95 | crc_update(&crc, ONE); |
96 | crc_update(&crc, ZERO); |
97 | } |
98 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
99 | if (!CMP(S, c)) { |
100 | crc_update(&crc, ONE); |
101 | crc_update(&crc, ZERO); |
102 | } else { |
103 | crc_update(&crc, ZERO); |
104 | crc_update(&crc, ZERO); |
105 | } |
106 | } |
107 | return (crc == 0); |
108 | } |
109 | |
110 | /* Detect a crc32 compensation attack on a packet */ |
0183b242 |
111 | int detect_attack(void *handle, uchar *buf, uint32 len, uchar *IV) |
9a3a93a5 |
112 | { |
0183b242 |
113 | struct crcda_ctx *ctx = (struct crcda_ctx *)handle; |
9a3a93a5 |
114 | register uint32 i, j; |
115 | uint32 l; |
116 | register uchar *c; |
117 | uchar *d; |
118 | |
119 | assert(!(len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || |
120 | len % SSH_BLOCKSIZE != 0)); |
0183b242 |
121 | for (l = ctx->n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) |
9a3a93a5 |
122 | ; |
123 | |
0183b242 |
124 | if (ctx->h == NULL) { |
125 | ctx->n = l; |
3d88e64d |
126 | ctx->h = snewn(ctx->n, uint16); |
9a3a93a5 |
127 | } else { |
0183b242 |
128 | if (l > ctx->n) { |
129 | ctx->n = l; |
3d88e64d |
130 | ctx->h = sresize(ctx->h, ctx->n, uint16); |
9a3a93a5 |
131 | } |
132 | } |
133 | |
134 | if (len <= HASH_MINBLOCKS) { |
135 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
136 | if (IV && (!CMP(c, IV))) { |
137 | if ((check_crc(c, buf, len, IV))) |
138 | return 1; /* attack detected */ |
139 | else |
140 | break; |
141 | } |
142 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
143 | if (!CMP(c, d)) { |
144 | if ((check_crc(c, buf, len, IV))) |
145 | return 1; /* attack detected */ |
146 | else |
147 | break; |
148 | } |
149 | } |
150 | } |
151 | return 0; /* ok */ |
152 | } |
0183b242 |
153 | memset(ctx->h, HASH_UNUSEDCHAR, ctx->n * HASH_ENTRYSIZE); |
9a3a93a5 |
154 | |
155 | if (IV) |
0183b242 |
156 | ctx->h[HASH(IV) & (ctx->n - 1)] = HASH_IV; |
9a3a93a5 |
157 | |
158 | for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
0183b242 |
159 | for (i = HASH(c) & (ctx->n - 1); ctx->h[i] != HASH_UNUSED; |
160 | i = (i + 1) & (ctx->n - 1)) { |
161 | if (ctx->h[i] == HASH_IV) { |
9a3a93a5 |
162 | if (!CMP(c, IV)) { |
163 | if (check_crc(c, buf, len, IV)) |
164 | return 1; /* attack detected */ |
165 | else |
166 | break; |
167 | } |
0183b242 |
168 | } else if (!CMP(c, buf + ctx->h[i] * SSH_BLOCKSIZE)) { |
9a3a93a5 |
169 | if (check_crc(c, buf, len, IV)) |
170 | return 1; /* attack detected */ |
171 | else |
172 | break; |
173 | } |
174 | } |
0183b242 |
175 | ctx->h[i] = j; |
9a3a93a5 |
176 | } |
177 | return 0; /* ok */ |
178 | } |