9a3a93a5 |
1 | /* $OpenBSD: deattack.c,v 1.14 2001/06/23 15:12:18 itojun Exp $ */ |
2 | |
3 | /* |
4 | * Cryptographic attack detector for ssh - source code |
5 | * |
6 | * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. |
7 | * |
8 | * All rights reserved. Redistribution and use in source and binary |
9 | * forms, with or without modification, are permitted provided that |
10 | * this copyright notice is retained. |
11 | * |
12 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
13 | * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE |
14 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR |
15 | * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS |
16 | * SOFTWARE. |
17 | * |
18 | * Ariel Futoransky <futo@core-sdi.com> |
19 | * <http://www.core-sdi.com> |
20 | * |
21 | * Modified for use in PuTTY by Simon Tatham |
22 | */ |
23 | |
24 | #include <assert.h> |
25 | #include "misc.h" |
26 | #include "ssh.h" |
27 | |
28 | typedef unsigned char uchar; |
29 | typedef unsigned short uint16; |
30 | |
31 | /* SSH Constants */ |
32 | #define SSH_MAXBLOCKS (32 * 1024) |
33 | #define SSH_BLOCKSIZE (8) |
34 | |
35 | /* Hashing constants */ |
36 | #define HASH_MINSIZE (8 * 1024) |
37 | #define HASH_ENTRYSIZE (sizeof(uint16)) |
38 | #define HASH_FACTOR(x) ((x)*3/2) |
39 | #define HASH_UNUSEDCHAR (0xff) |
40 | #define HASH_UNUSED (0xffff) |
41 | #define HASH_IV (0xfffe) |
42 | |
43 | #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) |
44 | |
45 | #define GET_32BIT_MSB_FIRST(cp) \ |
46 | (((unsigned long)(unsigned char)(cp)[0] << 24) | \ |
47 | ((unsigned long)(unsigned char)(cp)[1] << 16) | \ |
48 | ((unsigned long)(unsigned char)(cp)[2] << 8) | \ |
49 | ((unsigned long)(unsigned char)(cp)[3])) |
50 | |
51 | /* Hash function (Input keys are cipher results) */ |
52 | #define HASH(x) GET_32BIT_MSB_FIRST(x) |
53 | |
54 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
55 | |
56 | uchar ONE[4] = { 1, 0, 0, 0 }; |
57 | uchar ZERO[4] = { 0, 0, 0, 0 }; |
58 | |
59 | static void crc_update(uint32 *a, void *b) |
60 | { |
61 | *a = crc32_update(*a, b, 4); |
62 | } |
63 | |
64 | /* detect if a block is used in a particular pattern */ |
65 | static int check_crc(uchar *S, uchar *buf, uint32 len, uchar *IV) |
66 | { |
67 | uint32 crc; |
68 | uchar *c; |
69 | |
70 | crc = 0; |
71 | if (IV && !CMP(S, IV)) { |
72 | crc_update(&crc, ONE); |
73 | crc_update(&crc, ZERO); |
74 | } |
75 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
76 | if (!CMP(S, c)) { |
77 | crc_update(&crc, ONE); |
78 | crc_update(&crc, ZERO); |
79 | } else { |
80 | crc_update(&crc, ZERO); |
81 | crc_update(&crc, ZERO); |
82 | } |
83 | } |
84 | return (crc == 0); |
85 | } |
86 | |
87 | /* Detect a crc32 compensation attack on a packet */ |
88 | int detect_attack(uchar *buf, uint32 len, uchar *IV) |
89 | { |
90 | static uint16 *h = (uint16 *) NULL; |
91 | static uint32 n = HASH_MINSIZE / HASH_ENTRYSIZE; |
92 | register uint32 i, j; |
93 | uint32 l; |
94 | register uchar *c; |
95 | uchar *d; |
96 | |
97 | assert(!(len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || |
98 | len % SSH_BLOCKSIZE != 0)); |
99 | for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) |
100 | ; |
101 | |
102 | if (h == NULL) { |
103 | logevent("Installing CRC compensation attack detector"); |
104 | n = l; |
105 | h = (uint16 *) smalloc(n * HASH_ENTRYSIZE); |
106 | } else { |
107 | if (l > n) { |
108 | n = l; |
109 | h = (uint16 *) srealloc(h, n * HASH_ENTRYSIZE); |
110 | } |
111 | } |
112 | |
113 | if (len <= HASH_MINBLOCKS) { |
114 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
115 | if (IV && (!CMP(c, IV))) { |
116 | if ((check_crc(c, buf, len, IV))) |
117 | return 1; /* attack detected */ |
118 | else |
119 | break; |
120 | } |
121 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
122 | if (!CMP(c, d)) { |
123 | if ((check_crc(c, buf, len, IV))) |
124 | return 1; /* attack detected */ |
125 | else |
126 | break; |
127 | } |
128 | } |
129 | } |
130 | return 0; /* ok */ |
131 | } |
132 | memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); |
133 | |
134 | if (IV) |
135 | h[HASH(IV) & (n - 1)] = HASH_IV; |
136 | |
137 | for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
138 | for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; |
139 | i = (i + 1) & (n - 1)) { |
140 | if (h[i] == HASH_IV) { |
141 | if (!CMP(c, IV)) { |
142 | if (check_crc(c, buf, len, IV)) |
143 | return 1; /* attack detected */ |
144 | else |
145 | break; |
146 | } |
147 | } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { |
148 | if (check_crc(c, buf, len, IV)) |
149 | return 1; /* attack detected */ |
150 | else |
151 | break; |
152 | } |
153 | } |
154 | h[i] = j; |
155 | } |
156 | return 0; /* ok */ |
157 | } |