9a3a93a5 |
1 | /* $OpenBSD: deattack.c,v 1.14 2001/06/23 15:12:18 itojun Exp $ */ |
2 | |
3 | /* |
4 | * Cryptographic attack detector for ssh - source code |
5 | * |
6 | * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. |
7 | * |
8 | * All rights reserved. Redistribution and use in source and binary |
9 | * forms, with or without modification, are permitted provided that |
10 | * this copyright notice is retained. |
11 | * |
12 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
13 | * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE |
14 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR |
15 | * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS |
16 | * SOFTWARE. |
17 | * |
18 | * Ariel Futoransky <futo@core-sdi.com> |
19 | * <http://www.core-sdi.com> |
20 | * |
21 | * Modified for use in PuTTY by Simon Tatham |
22 | */ |
23 | |
24 | #include <assert.h> |
25 | #include "misc.h" |
26 | #include "ssh.h" |
27 | |
28 | typedef unsigned char uchar; |
29 | typedef unsigned short uint16; |
30 | |
31 | /* SSH Constants */ |
32 | #define SSH_MAXBLOCKS (32 * 1024) |
33 | #define SSH_BLOCKSIZE (8) |
34 | |
35 | /* Hashing constants */ |
36 | #define HASH_MINSIZE (8 * 1024) |
37 | #define HASH_ENTRYSIZE (sizeof(uint16)) |
38 | #define HASH_FACTOR(x) ((x)*3/2) |
39 | #define HASH_UNUSEDCHAR (0xff) |
40 | #define HASH_UNUSED (0xffff) |
41 | #define HASH_IV (0xfffe) |
42 | |
43 | #define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) |
44 | |
9a3a93a5 |
45 | /* Hash function (Input keys are cipher results) */ |
46 | #define HASH(x) GET_32BIT_MSB_FIRST(x) |
47 | |
48 | #define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) |
49 | |
50 | uchar ONE[4] = { 1, 0, 0, 0 }; |
51 | uchar ZERO[4] = { 0, 0, 0, 0 }; |
52 | |
0183b242 |
53 | struct crcda_ctx { |
54 | uint16 *h; |
55 | uint32 n; |
56 | }; |
57 | |
58 | void *crcda_make_context(void) |
59 | { |
3d88e64d |
60 | struct crcda_ctx *ret = snew(struct crcda_ctx); |
0183b242 |
61 | ret->h = NULL; |
62 | ret->n = HASH_MINSIZE / HASH_ENTRYSIZE; |
63 | return ret; |
64 | } |
65 | |
66 | void crcda_free_context(void *handle) |
67 | { |
679539d7 |
68 | struct crcda_ctx *ctx = (struct crcda_ctx *)handle; |
69 | if (ctx) { |
70 | sfree(ctx->h); |
71 | ctx->h = NULL; |
72 | sfree(ctx); |
73 | } |
0183b242 |
74 | } |
75 | |
9a3a93a5 |
76 | static void crc_update(uint32 *a, void *b) |
77 | { |
78 | *a = crc32_update(*a, b, 4); |
79 | } |
80 | |
81 | /* detect if a block is used in a particular pattern */ |
82 | static int check_crc(uchar *S, uchar *buf, uint32 len, uchar *IV) |
83 | { |
84 | uint32 crc; |
85 | uchar *c; |
86 | |
87 | crc = 0; |
88 | if (IV && !CMP(S, IV)) { |
89 | crc_update(&crc, ONE); |
90 | crc_update(&crc, ZERO); |
91 | } |
92 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
93 | if (!CMP(S, c)) { |
94 | crc_update(&crc, ONE); |
95 | crc_update(&crc, ZERO); |
96 | } else { |
97 | crc_update(&crc, ZERO); |
98 | crc_update(&crc, ZERO); |
99 | } |
100 | } |
101 | return (crc == 0); |
102 | } |
103 | |
104 | /* Detect a crc32 compensation attack on a packet */ |
0183b242 |
105 | int detect_attack(void *handle, uchar *buf, uint32 len, uchar *IV) |
9a3a93a5 |
106 | { |
0183b242 |
107 | struct crcda_ctx *ctx = (struct crcda_ctx *)handle; |
9a3a93a5 |
108 | register uint32 i, j; |
109 | uint32 l; |
110 | register uchar *c; |
111 | uchar *d; |
112 | |
113 | assert(!(len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || |
114 | len % SSH_BLOCKSIZE != 0)); |
0183b242 |
115 | for (l = ctx->n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) |
9a3a93a5 |
116 | ; |
117 | |
0183b242 |
118 | if (ctx->h == NULL) { |
119 | ctx->n = l; |
3d88e64d |
120 | ctx->h = snewn(ctx->n, uint16); |
9a3a93a5 |
121 | } else { |
0183b242 |
122 | if (l > ctx->n) { |
123 | ctx->n = l; |
3d88e64d |
124 | ctx->h = sresize(ctx->h, ctx->n, uint16); |
9a3a93a5 |
125 | } |
126 | } |
127 | |
128 | if (len <= HASH_MINBLOCKS) { |
129 | for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { |
130 | if (IV && (!CMP(c, IV))) { |
131 | if ((check_crc(c, buf, len, IV))) |
132 | return 1; /* attack detected */ |
133 | else |
134 | break; |
135 | } |
136 | for (d = buf; d < c; d += SSH_BLOCKSIZE) { |
137 | if (!CMP(c, d)) { |
138 | if ((check_crc(c, buf, len, IV))) |
139 | return 1; /* attack detected */ |
140 | else |
141 | break; |
142 | } |
143 | } |
144 | } |
145 | return 0; /* ok */ |
146 | } |
0183b242 |
147 | memset(ctx->h, HASH_UNUSEDCHAR, ctx->n * HASH_ENTRYSIZE); |
9a3a93a5 |
148 | |
149 | if (IV) |
0183b242 |
150 | ctx->h[HASH(IV) & (ctx->n - 1)] = HASH_IV; |
9a3a93a5 |
151 | |
152 | for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { |
0183b242 |
153 | for (i = HASH(c) & (ctx->n - 1); ctx->h[i] != HASH_UNUSED; |
154 | i = (i + 1) & (ctx->n - 1)) { |
155 | if (ctx->h[i] == HASH_IV) { |
9a3a93a5 |
156 | if (!CMP(c, IV)) { |
157 | if (check_crc(c, buf, len, IV)) |
158 | return 1; /* attack detected */ |
159 | else |
160 | break; |
161 | } |
0183b242 |
162 | } else if (!CMP(c, buf + ctx->h[i] * SSH_BLOCKSIZE)) { |
9a3a93a5 |
163 | if (check_crc(c, buf, len, IV)) |
164 | return 1; /* attack detected */ |
165 | else |
166 | break; |
167 | } |
168 | } |
0183b242 |
169 | ctx->h[i] = j; |
9a3a93a5 |
170 | } |
171 | return 0; /* ok */ |
172 | } |