From dfa641f758d4b8b2608ab1b00abaf88df0a8e36a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 30 Apr 2017 23:26:16 +0000 Subject: [PATCH] upstream commit remove the (in)famous SSHv1 CRC compensation attack detector. Despite your cameo in The Matrix movies, you will not be missed. ok markus Upstream-ID: 44261fce51a56d93cdb2af7b6e184be629f667e0 --- LICENCE | 23 +------- Makefile.in | 2 +- deattack.c | 165 ---------------------------------------------------- deattack.h | 38 ------------ packet.c | 7 +-- 5 files changed, 3 insertions(+), 232 deletions(-) delete mode 100644 deattack.c delete mode 100644 deattack.h diff --git a/LICENCE b/LICENCE index f52387139..15248212a 100644 --- a/LICENCE +++ b/LICENCE @@ -75,27 +75,6 @@ OpenSSH contains no GPL code. PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -2) - The 32-bit CRC compensation attack detector in deattack.c was - contributed by CORE SDI S.A. under a BSD-style license. - - * Cryptographic attack detector for ssh - source code - * - * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. - * - * All rights reserved. Redistribution and use in source and binary - * forms, with or without modification, are permitted provided that - * this copyright notice is retained. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR - * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS - * SOFTWARE. - * - * Ariel Futoransky - * - 3) ssh-keyscan was contributed by David Mazieres under a BSD-style license. @@ -337,4 +316,4 @@ OpenSSH contains no GPL code. ------ -$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $ +$OpenBSD: LICENCE,v 1.20 2017/04/30 23:26:16 djm Exp $ diff --git a/Makefile.in b/Makefile.in index a7a6239c0..d7f17df8c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -79,7 +79,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \ canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \ cipher-ctr.o cleanup.o \ - compat.o crc32.o deattack.o fatal.o hostfile.o \ + compat.o crc32.o fatal.o hostfile.o \ log.o match.o moduli.o nchan.o packet.o opacket.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ diff --git a/deattack.c b/deattack.c deleted file mode 100644 index e76481a6d..000000000 --- a/deattack.c +++ /dev/null @@ -1,165 +0,0 @@ -/* $OpenBSD: deattack.c,v 1.32 2015/01/20 23:14:00 deraadt Exp $ */ -/* - * Cryptographic attack detector for ssh - source code - * - * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. - * - * All rights reserved. Redistribution and use in source and binary - * forms, with or without modification, are permitted provided that - * this copyright notice is retained. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR - * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS - * SOFTWARE. - * - * Ariel Futoransky - * - */ - -#include "includes.h" - -#include -#include -#include - -#include "deattack.h" -#include "crc32.h" -#include "sshbuf.h" -#include "misc.h" - -/* - * CRC attack detection has a worst-case behaviour that is O(N^3) over - * the number of identical blocks in a packet. This behaviour can be - * exploited to create a limited denial of service attack. - * - * However, because we are dealing with encrypted data, identical - * blocks should only occur every 2^35 maximally-sized packets or so. - * Consequently, we can detect this DoS by looking for identical blocks - * in a packet. - * - * The parameter below determines how many identical blocks we will - * accept in a single packet, trading off between attack detection and - * likelihood of terminating a legitimate connection. A value of 32 - * corresponds to an average of 2^40 messages before an attack is - * misdetected - */ -#define MAX_IDENTICAL 32 - -/* SSH Constants */ -#define SSH_MAXBLOCKS (32 * 1024) -#define SSH_BLOCKSIZE (8) - -/* Hashing constants */ -#define HASH_MINSIZE (8 * 1024) -#define HASH_ENTRYSIZE (2) -#define HASH_FACTOR(x) ((x)*3/2) -#define HASH_UNUSEDCHAR (0xff) -#define HASH_UNUSED (0xffff) -#define HASH_IV (0xfffe) - -#define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) - - -/* Hash function (Input keys are cipher results) */ -#define HASH(x) PEEK_U32(x) - -#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) - -static void -crc_update(u_int32_t *a, u_int32_t b) -{ - b ^= *a; - *a = ssh_crc32((u_char *)&b, sizeof(b)); -} - -/* detect if a block is used in a particular pattern */ -static int -check_crc(const u_char *S, const u_char *buf, u_int32_t len) -{ - u_int32_t crc; - const u_char *c; - - crc = 0; - for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { - if (!CMP(S, c)) { - crc_update(&crc, 1); - crc_update(&crc, 0); - } else { - crc_update(&crc, 0); - crc_update(&crc, 0); - } - } - return crc == 0; -} - -void -deattack_init(struct deattack_ctx *dctx) -{ - bzero(dctx, sizeof(*dctx)); - dctx->n = HASH_MINSIZE / HASH_ENTRYSIZE; -} - -/* Detect a crc32 compensation attack on a packet */ -int -detect_attack(struct deattack_ctx *dctx, const u_char *buf, u_int32_t len) -{ - u_int32_t i, j, l, same; - u_int16_t *tmp; - const u_char *c, *d; - - if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || - len % SSH_BLOCKSIZE != 0) - return DEATTACK_ERROR; - for (l = dctx->n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) - ; - - if (dctx->h == NULL) { - if ((dctx->h = calloc(l, HASH_ENTRYSIZE)) == NULL) - return DEATTACK_ERROR; - dctx->n = l; - } else { - if (l > dctx->n) { - if ((tmp = reallocarray(dctx->h, l, HASH_ENTRYSIZE)) - == NULL) { - free(dctx->h); - dctx->h = NULL; - return DEATTACK_ERROR; - } - dctx->h = tmp; - dctx->n = l; - } - } - - if (len <= HASH_MINBLOCKS) { - for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { - for (d = buf; d < c; d += SSH_BLOCKSIZE) { - if (!CMP(c, d)) { - if ((check_crc(c, buf, len))) - return DEATTACK_DETECTED; - else - break; - } - } - } - return DEATTACK_OK; - } - memset(dctx->h, HASH_UNUSEDCHAR, dctx->n * HASH_ENTRYSIZE); - - for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { - for (i = HASH(c) & (dctx->n - 1); dctx->h[i] != HASH_UNUSED; - i = (i + 1) & (dctx->n - 1)) { - if (!CMP(c, buf + dctx->h[i] * SSH_BLOCKSIZE)) { - if (++same > MAX_IDENTICAL) - return DEATTACK_DOS_DETECTED; - if (check_crc(c, buf, len)) - return DEATTACK_DETECTED; - else - break; - } - } - dctx->h[i] = j; - } - return DEATTACK_OK; -} diff --git a/deattack.h b/deattack.h deleted file mode 100644 index ce67a30ff..000000000 --- a/deattack.h +++ /dev/null @@ -1,38 +0,0 @@ -/* $OpenBSD: deattack.h,v 1.11 2015/01/19 19:52:16 markus Exp $ */ - -/* - * Cryptographic attack detector for ssh - Header file - * - * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. - * - * All rights reserved. Redistribution and use in source and binary - * forms, with or without modification, are permitted provided that - * this copyright notice is retained. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR - * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS - * SOFTWARE. - * - * Ariel Futoransky - * - */ - -#ifndef _DEATTACK_H -#define _DEATTACK_H - -/* Return codes */ -#define DEATTACK_OK 0 -#define DEATTACK_DETECTED 1 -#define DEATTACK_DOS_DETECTED 2 -#define DEATTACK_ERROR 3 - -struct deattack_ctx { - u_int16_t *h; - u_int32_t n; -}; - -void deattack_init(struct deattack_ctx *); -int detect_attack(struct deattack_ctx *, const u_char *, u_int32_t); -#endif diff --git a/packet.c b/packet.c index 6cec93372..0e312c514 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.250 2017/04/30 23:23:54 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.251 2017/04/30 23:26:16 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -68,7 +68,6 @@ #include "xmalloc.h" #include "crc32.h" -#include "deattack.h" #include "compat.h" #include "ssh1.h" #include "ssh2.h" @@ -216,9 +215,6 @@ struct session_state { /* One-off warning about weak ciphers */ int cipher_warning_done; - /* SSH1 CRC compensation attack detector */ - struct deattack_ctx deattack; - /* Hook for fuzzing inbound packets */ ssh_packet_hook_fn *hook_in; void *hook_in_ctx; @@ -315,7 +311,6 @@ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) return NULL; } state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL; - deattack_init(&state->deattack); /* * Cache the IP address of the remote connection for use in error * messages that might be generated after the connection has closed.